10341000x80000000000000001952927Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:29.958{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-52AD-6307-E404-000000007602}7476C:\Windows\SYSTEM32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001952926Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:29.958{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-4AD7-6307-F503-000000007602}6996C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001952925Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:29.958{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-4AD1-6307-F403-000000007602}7488C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000662930Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-25 10:59:29.888{F6DB49F2-3390-6307-2100-000000007702}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=336651FB5196EF0691644ADADCA9DFB2,SHA256=35FC7925C772CEA2DE5589863EAEA8233D3874D9DBE518A615073D67754C72EC,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000662929Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-25 10:59:29.873{F6DB49F2-5611-6307-CA04-000000007702}4372C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000662928Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-25 10:59:29.873{F6DB49F2-5611-6307-CA04-000000007702}4372C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000662927Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-25 10:59:29.873{F6DB49F2-5611-6307-CA04-000000007702}4372C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000662926Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-25 10:59:29.873{F6DB49F2-5611-6307-CA04-000000007702}4372C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000662925Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-25 10:59:29.873{F6DB49F2-5611-6307-CA04-000000007702}4372C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000662924Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-25 10:59:29.873{F6DB49F2-5611-6307-CA04-000000007702}4372C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000662923Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-25 10:59:29.873{F6DB49F2-5611-6307-CA04-000000007702}4372C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000662922Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-25 10:59:29.873{F6DB49F2-5611-6307-CA04-000000007702}4372C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000662921Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-25 10:59:29.857{F6DB49F2-5611-6307-CA04-000000007702}4372C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000662920Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-25 10:59:29.857{F6DB49F2-5611-6307-CA04-000000007702}4372C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000662919Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-25 10:59:29.857{F6DB49F2-5611-6307-CA04-000000007702}4372C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000662918Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-25 10:59:29.857{F6DB49F2-5611-6307-CA04-000000007702}4372C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000662917Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-25 10:59:29.857{F6DB49F2-5611-6307-CA04-000000007702}4372C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000662916Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-25 10:59:29.857{F6DB49F2-5611-6307-CA04-000000007702}4372C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000662915Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-25 10:59:29.857{F6DB49F2-5611-6307-CA04-000000007702}4372C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000662914Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-25 10:59:29.857{F6DB49F2-5611-6307-CA04-000000007702}4372C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000662913Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-25 10:59:29.857{F6DB49F2-5611-6307-CA04-000000007702}4372C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000662912Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-25 10:59:29.857{F6DB49F2-5611-6307-CA04-000000007702}4372C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000662911Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-25 10:59:29.857{F6DB49F2-5611-6307-CA04-000000007702}4372C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000662910Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-25 10:59:29.857{F6DB49F2-5611-6307-CA04-000000007702}4372C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000662909Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-25 10:59:29.857{F6DB49F2-5611-6307-CA04-000000007702}4372C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000662908Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-25 10:59:29.857{F6DB49F2-5611-6307-CA04-000000007702}4372C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000662907Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-25 10:59:29.857{F6DB49F2-5611-6307-CA04-000000007702}4372C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000662906Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-25 10:59:29.857{F6DB49F2-5611-6307-CA04-000000007702}4372C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000662905Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-25 10:59:29.857{F6DB49F2-5611-6307-CA04-000000007702}4372C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000662904Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-25 10:59:29.857{F6DB49F2-5611-6307-CA04-000000007702}4372C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000662903Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-25 10:59:29.857{F6DB49F2-5611-6307-CA04-000000007702}4372C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000662902Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-25 10:59:29.857{F6DB49F2-5611-6307-CA04-000000007702}4372C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000662901Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-25 10:59:29.857{F6DB49F2-5611-6307-CA04-000000007702}4372C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000662900Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-25 10:59:29.857{F6DB49F2-5611-6307-CA04-000000007702}4372C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000662899Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-25 10:59:29.857{F6DB49F2-5611-6307-CA04-000000007702}4372C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000662898Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-25 10:59:29.857{F6DB49F2-5611-6307-CA04-000000007702}4372C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000662897Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-25 10:59:29.857{F6DB49F2-5611-6307-CA04-000000007702}4372C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000662896Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-25 10:59:29.857{F6DB49F2-5611-6307-CA04-000000007702}4372C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000662895Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-25 10:59:29.857{F6DB49F2-5611-6307-CA04-000000007702}4372C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\fltLib.dll10.0.14393.0 (rs1_release.160715-1616)Filter LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationfilterLib.dllMD5=051ABD8360BDA63A1BC77C662FBF0A25,SHA256=C914E2DBAEC2C9A11923A984B30A979637D3A27B3C29E93F4C90FB1D9FBC518F,IMPHASH=74D3C2DA8B6F9861866B866AE40683D3trueMicrosoft WindowsValid 734700x8000000000000000662894Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-25 10:59:29.857{F6DB49F2-5611-6307-CA04-000000007702}4372C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 10341000x8000000000000000662893Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-25 10:59:29.857{F6DB49F2-3391-6307-2B00-000000007702}28802900C:\Windows\system32\conhost.exe{F6DB49F2-5611-6307-CA04-000000007702}4372C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000662892Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-25 10:59:29.857{F6DB49F2-5611-6307-CA04-000000007702}4372C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000662891Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-25 10:59:29.857{F6DB49F2-5611-6307-CA04-000000007702}4372C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 10341000x8000000000000000662890Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-25 10:59:29.857{F6DB49F2-338F-6307-0C00-000000007702}7284948C:\Windows\system32\svchost.exe{F6DB49F2-3390-6307-1F00-000000007702}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000662889Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-25 10:59:29.857{F6DB49F2-338F-6307-0C00-000000007702}7284948C:\Windows\system32\svchost.exe{F6DB49F2-3390-6307-1F00-000000007702}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000662888Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-25 10:59:29.857{F6DB49F2-5611-6307-CA04-000000007702}4372C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 10341000x8000000000000000662887Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-25 10:59:29.857{F6DB49F2-338F-6307-0C00-000000007702}7284948C:\Windows\system32\svchost.exe{F6DB49F2-3390-6307-1F00-000000007702}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000662886Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-25 10:59:29.857{F6DB49F2-5611-6307-CA04-000000007702}4372C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exeMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02DtrueSplunk, Inc.Valid 10341000x8000000000000000662885Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-25 10:59:29.857{F6DB49F2-338F-6307-0C00-000000007702}7284948C:\Windows\system32\svchost.exe{F6DB49F2-3390-6307-1F00-000000007702}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000662884Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-25 10:59:29.857{F6DB49F2-338F-6307-0C00-000000007702}7284948C:\Windows\system32\svchost.exe{F6DB49F2-3390-6307-1F00-000000007702}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000662883Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-25 10:59:29.857{F6DB49F2-338F-6307-0C00-000000007702}7284948C:\Windows\system32\svchost.exe{F6DB49F2-3390-6307-1F00-000000007702}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000662882Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-25 10:59:29.857{F6DB49F2-338F-6307-0C00-000000007702}7284948C:\Windows\system32\svchost.exe{F6DB49F2-3390-6307-1F00-000000007702}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000662881Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-25 10:59:29.857{F6DB49F2-338F-6307-0C00-000000007702}7284948C:\Windows\system32\svchost.exe{F6DB49F2-3390-6307-1F00-000000007702}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000662880Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-25 10:59:29.857{F6DB49F2-338F-6307-0C00-000000007702}7284948C:\Windows\system32\svchost.exe{F6DB49F2-3390-6307-1F00-000000007702}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000662879Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-25 10:59:29.857{F6DB49F2-338F-6307-0500-000000007702}416432C:\Windows\system32\csrss.exe{F6DB49F2-5611-6307-CA04-000000007702}4372C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000662878Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-25 10:59:29.857{F6DB49F2-3390-6307-2100-000000007702}20323172C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F6DB49F2-5611-6307-CA04-000000007702}4372C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000662877Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-25 10:59:29.858{F6DB49F2-5611-6307-CA04-000000007702}4372C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F6DB49F2-338F-6307-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{F6DB49F2-3390-6307-2100-000000007702}2032C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000662876Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-25 10:59:29.748{F6DB49F2-3390-6307-2100-000000007702}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=034024099B93D4CE4EC85DF5DF56C7CC,SHA256=40150E0A0A7C68FF470300BC6791DDE55E52FD6898FD91CC64093C6C1F346EDD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000662875Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-25 10:59:29.607{F6DB49F2-33A2-6307-6D00-000000007702}3760NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=38D815E0774B6E504AD3A6659CD95A32,SHA256=44B51793877D0522CC810F13465E1ED42911701AF54AE5E91FF7A38B3005AB7E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000662874Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-25 10:59:29.501{F6DB49F2-33A2-6307-6D00-000000007702}3760NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=AD799E8182F1742A381B532A3DF1851F,SHA256=917BBD83A8B82A0865F51A0C008DC15373EB866D5CC67E356D3C6552FB5D4386,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001952924Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:29.958{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-4AD0-6307-F303-000000007602}9620C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001952923Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:29.958{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-4AB4-6307-EB03-000000007602}6088C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001952922Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:29.958{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-4A8F-6307-EA03-000000007602}6404C:\Windows\system32\wbem\wmiprvse.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001952921Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:29.958{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-49F6-6307-CD03-000000007602}7868C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001952920Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:29.958{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-436A-6307-0703-000000007602}6260C:\Program Files\IDA Freeware 8.0\ida64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001952919Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:29.958{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-4210-6307-D702-000000007602}7048C:\Windows\System32\win32calc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001952918Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:29.958{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-37A5-6307-3901-000000007602}6588C:\Windows\ImmersiveControlPanel\SystemSettings.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001952917Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:29.958{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-37A2-6307-3301-000000007602}5680C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001952916Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:29.958{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-37A2-6307-3201-000000007602}3700C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001952915Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:29.958{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-37A1-6307-3101-000000007602}4360C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001952914Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:29.958{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-37A1-6307-3001-000000007602}5144C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001952913Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:29.958{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-37A0-6307-2F01-000000007602}4596C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001952912Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:29.958{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-361E-6307-FB00-000000007602}6112C:\Users\Administrator\Downloads\Procmon64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001952911Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:29.958{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-35FB-6307-F000-000000007602}4288C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001952910Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:29.958{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-35FB-6307-EF00-000000007602}4276C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001952909Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:29.958{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-35E9-6307-E200-000000007602}5316C:\Program Files\Aurora-Agent\aurora-agent.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001952908Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:29.958{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-35E2-6307-E000-000000007602}4860C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001952907Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:29.958{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-35E2-6307-DF00-000000007602}4184C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001952906Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:29.958{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-35E0-6307-DE00-000000007602}5008C:\Windows\Explorer.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001952905Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:29.958{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-35E0-6307-D600-000000007602}4472C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001952904Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:29.958{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-35E0-6307-D300-000000007602}4392C:\Windows\System32\rdpclip.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001952903Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:29.958{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-35DE-6307-D000-000000007602}3896C:\Windows\system32\dwm.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001952902Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:29.958{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-35DD-6307-CE00-000000007602}764C:\Windows\system32\winlogon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001952901Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:29.958{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-341E-6307-8900-000000007602}3136C:\Windows\System32\msdtc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001952900Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:29.958{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-35DD-6307-CD00-000000007602}1324C:\Windows\system32\csrss.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5d64|C:\Windows\System32\KERNELBASE.dll+25803|C:\Windows\System32\KERNEL32.DLL+169c0|C:\Users\Administrator\Downloads\procexp64.exe+a8288|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001952899Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:29.958{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33B6-6307-7B00-000000007602}2184C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001952898Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:29.958{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33AF-6307-7100-000000007602}3892C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001952897Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:29.958{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A5-6307-4500-000000007602}3548C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001952896Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:29.958{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A5-6307-4100-000000007602}3460C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001952895Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:29.958{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A4-6307-3A00-000000007602}3188C:\Windows\System32\vds.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001952894Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:29.958{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A4-6307-3700-000000007602}3120C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001952893Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:29.958{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A3-6307-3100-000000007602}2960C:\Windows\system32\wbem\unsecapp.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001952892Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:29.958{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A3-6307-2F00-000000007602}2772C:\Windows\system32\DFSRs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001952891Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:29.958{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A3-6307-2E00-000000007602}2764C:\Windows\system32\dfssvc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001952890Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:29.958{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A3-6307-2D00-000000007602}2752C:\Windows\System32\ismserv.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001952889Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:29.958{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A3-6307-2C00-000000007602}2604C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001952888Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:29.958{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A3-6307-2B00-000000007602}2596C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001952887Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:29.958{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A3-6307-2900-000000007602}2580C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001952886Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:29.958{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A3-6307-2800-000000007602}2568C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001952885Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:29.958{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A3-6307-2700-000000007602}2560C:\Windows\system32\dns.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001952884Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:29.958{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A3-6307-2600-000000007602}2552C:\Windows\sysmon64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001952883Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:29.958{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A3-6307-2500-000000007602}2476C:\Windows\System32\spoolsv.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001952882Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:29.958{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-339C-6307-2300-000000007602}2332C:\Windows\System32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001952881Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:29.958{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3393-6307-1D00-000000007602}2088C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001952880Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:29.958{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3393-6307-1700-000000007602}1396C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001952879Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:29.958{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3393-6307-1600-000000007602}1308C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001952878Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:29.958{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3392-6307-1500-000000007602}1256C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001952877Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:29.958{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3392-6307-1400-000000007602}1084C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001952876Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:29.958{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3392-6307-1300-000000007602}928C:\Windows\system32\dwm.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001952875Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:29.958{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3392-6307-1200-000000007602}484C:\Windows\System32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001952874Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:29.958{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3392-6307-1100-000000007602}420C:\Windows\System32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001952873Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:29.958{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3392-6307-1000-000000007602}440C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001952872Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:29.958{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3392-6307-0F00-000000007602}108C:\Windows\System32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001952871Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:29.958{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3392-6307-0E00-000000007602}996C:\Windows\system32\LogonUI.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001952870Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:29.958{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3392-6307-0D00-000000007602}892C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001952869Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:29.958{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3392-6307-0C00-000000007602}836C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001952868Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:29.958{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3390-6307-0B00-000000007602}632C:\Windows\system32\lsass.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001952867Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:29.958{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3390-6307-0A00-000000007602}624C:\Windows\system32\services.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5d64|C:\Windows\System32\KERNELBASE.dll+25803|C:\Windows\System32\KERNEL32.DLL+169c0|C:\Users\Administrator\Downloads\procexp64.exe+a8288|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001952866Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:29.958{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3390-6307-0900-000000007602}572C:\Windows\system32\winlogon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001952865Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:29.958{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3390-6307-0800-000000007602}496C:\Windows\system32\csrss.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5d64|C:\Windows\System32\KERNELBASE.dll+25803|C:\Windows\System32\KERNEL32.DLL+169c0|C:\Users\Administrator\Downloads\procexp64.exe+a8288|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001952864Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:29.958{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3390-6307-0700-000000007602}488C:\Windows\system32\wininit.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5d64|C:\Windows\System32\KERNELBASE.dll+25803|C:\Windows\System32\KERNEL32.DLL+169c0|C:\Users\Administrator\Downloads\procexp64.exe+a8288|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001952863Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:29.958{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3390-6307-0500-000000007602}416C:\Windows\system32\csrss.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5d64|C:\Windows\System32\KERNELBASE.dll+25803|C:\Windows\System32\KERNEL32.DLL+169c0|C:\Users\Administrator\Downloads\procexp64.exe+a8288|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001952862Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:29.958{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-338D-6307-0200-000000007602}320C:\Windows\System32\smss.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5d64|C:\Windows\System32\KERNELBASE.dll+25803|C:\Windows\System32\KERNEL32.DLL+169c0|C:\Users\Administrator\Downloads\procexp64.exe+a8288|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001952861Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:29.958{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-338D-6307-0100-000000007602}4System0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5d64|C:\Windows\System32\KERNELBASE.dll+25803|C:\Windows\System32\KERNEL32.DLL+169c0|C:\Users\Administrator\Downloads\procexp64.exe+a8288|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x80000000000000001952860Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:29.724{D25361F1-33B6-6307-7B00-000000007602}2184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=914FE842D9B3331D1FAEAD363379DB7A,SHA256=F04DFB0528D202604516D4663666EEF7D801F510F08D47DD5595C1F3B712ADAB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001952859Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:29.174{D25361F1-33B6-6307-7B00-000000007602}2184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7E09DBDE39C9743C64234452C4735B07,SHA256=77E05580A35C0966E2C4091C7EE63A5A0CDFEC833C76571B52BE51AAB43534C0,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000662873Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-25 10:59:29.368{F6DB49F2-5611-6307-C904-000000007702}4880C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x8000000000000000662872Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-25 10:59:29.368{F6DB49F2-5611-6307-C904-000000007702}48802564C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{F6DB49F2-3390-6307-2100-000000007702}2032C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000662871Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-25 10:59:29.368{F6DB49F2-5611-6307-C904-000000007702}4880C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000662870Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-25 10:59:29.368{F6DB49F2-5611-6307-C904-000000007702}4880C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x8000000000000000662869Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-25 10:59:29.212{F6DB49F2-5611-6307-C904-000000007702}4880C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000662868Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-25 10:59:29.212{F6DB49F2-5611-6307-C904-000000007702}4880C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000662867Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-25 10:59:29.212{F6DB49F2-5611-6307-C904-000000007702}4880C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000662866Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-25 10:59:29.212{F6DB49F2-5611-6307-C904-000000007702}4880C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000662865Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-25 10:59:29.196{F6DB49F2-5611-6307-C904-000000007702}4880C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000662864Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-25 10:59:29.196{F6DB49F2-5611-6307-C904-000000007702}4880C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000662863Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-25 10:59:29.196{F6DB49F2-5611-6307-C904-000000007702}4880C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000662862Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-25 10:59:29.196{F6DB49F2-5611-6307-C904-000000007702}4880C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000662861Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-25 10:59:29.196{F6DB49F2-5611-6307-C904-000000007702}4880C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000662860Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-25 10:59:29.196{F6DB49F2-5611-6307-C904-000000007702}4880C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000662859Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-25 10:59:29.196{F6DB49F2-5611-6307-C904-000000007702}4880C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000662858Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-25 10:59:29.180{F6DB49F2-5611-6307-C904-000000007702}4880C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000662857Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-25 10:59:29.180{F6DB49F2-5611-6307-C904-000000007702}4880C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000662856Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-25 10:59:29.180{F6DB49F2-5611-6307-C904-000000007702}4880C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000662855Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-25 10:59:29.180{F6DB49F2-5611-6307-C904-000000007702}4880C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000662854Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-25 10:59:29.180{F6DB49F2-5611-6307-C904-000000007702}4880C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000662853Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-25 10:59:29.180{F6DB49F2-5611-6307-C904-000000007702}4880C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000662852Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-25 10:59:29.180{F6DB49F2-5611-6307-C904-000000007702}4880C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000662851Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-25 10:59:29.180{F6DB49F2-5611-6307-C904-000000007702}4880C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000662850Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-25 10:59:29.180{F6DB49F2-5611-6307-C904-000000007702}4880C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000662849Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-25 10:59:29.180{F6DB49F2-5611-6307-C904-000000007702}4880C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000662848Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-25 10:59:29.180{F6DB49F2-5611-6307-C904-000000007702}4880C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000662847Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-25 10:59:29.180{F6DB49F2-5611-6307-C904-000000007702}4880C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000662846Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-25 10:59:29.180{F6DB49F2-5611-6307-C904-000000007702}4880C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000662845Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-25 10:59:29.180{F6DB49F2-5611-6307-C904-000000007702}4880C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000662844Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-25 10:59:29.180{F6DB49F2-5611-6307-C904-000000007702}4880C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000662843Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-25 10:59:29.180{F6DB49F2-5611-6307-C904-000000007702}4880C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000662842Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-25 10:59:29.180{F6DB49F2-5611-6307-C904-000000007702}4880C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000662841Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-25 10:59:29.180{F6DB49F2-5611-6307-C904-000000007702}4880C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000662840Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-25 10:59:29.180{F6DB49F2-5611-6307-C904-000000007702}4880C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000662839Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-25 10:59:29.180{F6DB49F2-5611-6307-C904-000000007702}4880C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000662838Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-25 10:59:29.180{F6DB49F2-5611-6307-C904-000000007702}4880C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000662837Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-25 10:59:29.180{F6DB49F2-5611-6307-C904-000000007702}4880C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000662836Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-25 10:59:29.180{F6DB49F2-5611-6307-C904-000000007702}4880C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000662835Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-25 10:59:29.180{F6DB49F2-5611-6307-C904-000000007702}4880C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5,IMPHASH=0D8FF9DE2DA5C07D680347B1A098E759trueMicrosoft WindowsValid 734700x8000000000000000662834Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-25 10:59:29.180{F6DB49F2-5611-6307-C904-000000007702}4880C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 10341000x8000000000000000662833Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-25 10:59:29.180{F6DB49F2-3391-6307-2B00-000000007702}28802900C:\Windows\system32\conhost.exe{F6DB49F2-5611-6307-C904-000000007702}4880C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000662832Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-25 10:59:29.180{F6DB49F2-5611-6307-C904-000000007702}4880C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000662831Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-25 10:59:29.180{F6DB49F2-5611-6307-C904-000000007702}4880C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 10341000x8000000000000000662830Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-25 10:59:29.180{F6DB49F2-338F-6307-0C00-000000007702}7284948C:\Windows\system32\svchost.exe{F6DB49F2-3390-6307-1F00-000000007702}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000662829Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-25 10:59:29.180{F6DB49F2-5611-6307-C904-000000007702}4880C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 10341000x8000000000000000662828Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-25 10:59:29.180{F6DB49F2-338F-6307-0C00-000000007702}7284948C:\Windows\system32\svchost.exe{F6DB49F2-3390-6307-1F00-000000007702}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000662827Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-25 10:59:29.180{F6DB49F2-5611-6307-C904-000000007702}4880C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exeMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778trueSplunk, Inc.Valid 10341000x8000000000000000662826Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-25 10:59:29.180{F6DB49F2-338F-6307-0C00-000000007702}7284948C:\Windows\system32\svchost.exe{F6DB49F2-3390-6307-1F00-000000007702}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000662825Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-25 10:59:29.180{F6DB49F2-338F-6307-0C00-000000007702}7284948C:\Windows\system32\svchost.exe{F6DB49F2-3390-6307-1F00-000000007702}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000662824Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-25 10:59:29.180{F6DB49F2-338F-6307-0C00-000000007702}7284948C:\Windows\system32\svchost.exe{F6DB49F2-3390-6307-1F00-000000007702}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000662823Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-25 10:59:29.180{F6DB49F2-338F-6307-0C00-000000007702}7284948C:\Windows\system32\svchost.exe{F6DB49F2-3390-6307-1F00-000000007702}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000662822Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-25 10:59:29.180{F6DB49F2-338F-6307-0C00-000000007702}7284948C:\Windows\system32\svchost.exe{F6DB49F2-3390-6307-1F00-000000007702}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000662821Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-25 10:59:29.180{F6DB49F2-338F-6307-0C00-000000007702}7284948C:\Windows\system32\svchost.exe{F6DB49F2-3390-6307-1F00-000000007702}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000662820Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-25 10:59:29.180{F6DB49F2-338F-6307-0C00-000000007702}7284948C:\Windows\system32\svchost.exe{F6DB49F2-3390-6307-1F00-000000007702}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000662819Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-25 10:59:29.180{F6DB49F2-338F-6307-0500-000000007702}4163384C:\Windows\system32\csrss.exe{F6DB49F2-5611-6307-C904-000000007702}4880C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000662818Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-25 10:59:29.180{F6DB49F2-3390-6307-2100-000000007702}20323172C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F6DB49F2-5611-6307-C904-000000007702}4880C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000662817Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-25 10:59:29.181{F6DB49F2-5611-6307-C904-000000007702}4880C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F6DB49F2-338F-6307-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{F6DB49F2-3390-6307-2100-000000007702}2032C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000662816Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-25 10:59:29.024{F6DB49F2-33A2-6307-6D00-000000007702}3760NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=887FC8891E72B48670E4242427085545,SHA256=89B498EEF7E139015787CF81117CEC5AF8FCB63456185A982540168602DEC15F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001952997Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:30.973{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-52AD-6307-E404-000000007602}7476C:\Windows\SYSTEM32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001952996Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:30.973{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-4AD7-6307-F503-000000007602}6996C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001952995Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:30.973{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-4AD1-6307-F403-000000007602}7488C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001952994Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:30.973{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-4AD0-6307-F303-000000007602}9620C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001952993Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:30.973{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-4AB4-6307-EB03-000000007602}6088C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001952992Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:30.973{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-4A8F-6307-EA03-000000007602}6404C:\Windows\system32\wbem\wmiprvse.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001952991Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:30.973{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-49F6-6307-CD03-000000007602}7868C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001952990Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:30.973{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-436A-6307-0703-000000007602}6260C:\Program Files\IDA Freeware 8.0\ida64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001952989Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:30.973{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-4210-6307-D702-000000007602}7048C:\Windows\System32\win32calc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001952988Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:30.973{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-37A5-6307-3901-000000007602}6588C:\Windows\ImmersiveControlPanel\SystemSettings.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001952987Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:30.973{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-37A2-6307-3301-000000007602}5680C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001952986Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:30.973{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-37A2-6307-3201-000000007602}3700C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001952985Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:30.973{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-37A1-6307-3101-000000007602}4360C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001952984Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:30.973{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-37A1-6307-3001-000000007602}5144C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001952983Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:30.973{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-37A0-6307-2F01-000000007602}4596C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001952982Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:30.973{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-361E-6307-FB00-000000007602}6112C:\Users\Administrator\Downloads\Procmon64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001952981Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:30.973{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-35FB-6307-F000-000000007602}4288C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001952980Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:30.973{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-35FB-6307-EF00-000000007602}4276C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001952979Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:30.973{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-35E9-6307-E200-000000007602}5316C:\Program Files\Aurora-Agent\aurora-agent.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001952978Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:30.973{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-35E2-6307-E000-000000007602}4860C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001952977Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:30.973{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-35E2-6307-DF00-000000007602}4184C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001952976Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:30.973{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-35E0-6307-DE00-000000007602}5008C:\Windows\Explorer.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001952975Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:30.973{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-35E0-6307-D600-000000007602}4472C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001952974Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:30.973{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-35E0-6307-D300-000000007602}4392C:\Windows\System32\rdpclip.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001952973Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:30.973{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-35DE-6307-D000-000000007602}3896C:\Windows\system32\dwm.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001952972Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:30.973{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-35DD-6307-CE00-000000007602}764C:\Windows\system32\winlogon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001952971Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:30.973{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-35DD-6307-CD00-000000007602}1324C:\Windows\system32\csrss.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5d64|C:\Windows\System32\KERNELBASE.dll+25803|C:\Windows\System32\KERNEL32.DLL+169c0|C:\Users\Administrator\Downloads\procexp64.exe+a8288|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001952970Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:30.973{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-341E-6307-8900-000000007602}3136C:\Windows\System32\msdtc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001952969Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:30.973{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33B6-6307-7B00-000000007602}2184C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001952968Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:30.973{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33AF-6307-7100-000000007602}3892C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001952967Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:30.973{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A5-6307-4500-000000007602}3548C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001952966Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:30.973{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A5-6307-4100-000000007602}3460C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001952965Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:30.973{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A4-6307-3A00-000000007602}3188C:\Windows\System32\vds.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001952964Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:30.973{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A4-6307-3700-000000007602}3120C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001952963Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:30.973{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A3-6307-3100-000000007602}2960C:\Windows\system32\wbem\unsecapp.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001952962Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:30.973{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A3-6307-2F00-000000007602}2772C:\Windows\system32\DFSRs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001952961Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:30.973{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A3-6307-2E00-000000007602}2764C:\Windows\system32\dfssvc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001952960Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:30.973{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A3-6307-2D00-000000007602}2752C:\Windows\System32\ismserv.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001952959Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:30.973{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A3-6307-2C00-000000007602}2604C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001952958Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:30.973{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A3-6307-2B00-000000007602}2596C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001952957Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:30.973{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A3-6307-2900-000000007602}2580C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001952956Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:30.973{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A3-6307-2800-000000007602}2568C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001952955Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:30.973{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A3-6307-2700-000000007602}2560C:\Windows\system32\dns.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001952954Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:30.973{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A3-6307-2600-000000007602}2552C:\Windows\sysmon64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001952953Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:30.973{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A3-6307-2500-000000007602}2476C:\Windows\System32\spoolsv.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001952952Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:30.973{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-339C-6307-2300-000000007602}2332C:\Windows\System32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001952951Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:30.973{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3393-6307-1D00-000000007602}2088C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001952950Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:30.973{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3393-6307-1700-000000007602}1396C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001952949Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:30.973{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3393-6307-1600-000000007602}1308C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001952948Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:30.973{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3392-6307-1500-000000007602}1256C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001952947Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:30.973{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3392-6307-1400-000000007602}1084C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001952946Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:30.973{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3392-6307-1300-000000007602}928C:\Windows\system32\dwm.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001952945Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:30.973{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3392-6307-1200-000000007602}484C:\Windows\System32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001952944Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:30.973{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3392-6307-1100-000000007602}420C:\Windows\System32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001952943Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:30.973{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3392-6307-1000-000000007602}440C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001952942Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:30.973{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3392-6307-0F00-000000007602}108C:\Windows\System32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001952941Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:30.973{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3392-6307-0E00-000000007602}996C:\Windows\system32\LogonUI.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001952940Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:30.973{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3392-6307-0D00-000000007602}892C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001952939Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:30.973{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3392-6307-0C00-000000007602}836C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001952938Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:30.973{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3390-6307-0B00-000000007602}632C:\Windows\system32\lsass.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001952937Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:30.973{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3390-6307-0A00-000000007602}624C:\Windows\system32\services.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5d64|C:\Windows\System32\KERNELBASE.dll+25803|C:\Windows\System32\KERNEL32.DLL+169c0|C:\Users\Administrator\Downloads\procexp64.exe+a8288|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001952936Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:30.973{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3390-6307-0900-000000007602}572C:\Windows\system32\winlogon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001952935Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:30.973{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3390-6307-0800-000000007602}496C:\Windows\system32\csrss.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5d64|C:\Windows\System32\KERNELBASE.dll+25803|C:\Windows\System32\KERNEL32.DLL+169c0|C:\Users\Administrator\Downloads\procexp64.exe+a8288|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001952934Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:30.973{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3390-6307-0700-000000007602}488C:\Windows\system32\wininit.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5d64|C:\Windows\System32\KERNELBASE.dll+25803|C:\Windows\System32\KERNEL32.DLL+169c0|C:\Users\Administrator\Downloads\procexp64.exe+a8288|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001952933Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:30.973{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3390-6307-0500-000000007602}416C:\Windows\system32\csrss.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5d64|C:\Windows\System32\KERNELBASE.dll+25803|C:\Windows\System32\KERNEL32.DLL+169c0|C:\Users\Administrator\Downloads\procexp64.exe+a8288|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001952932Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:30.973{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-338D-6307-0200-000000007602}320C:\Windows\System32\smss.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5d64|C:\Windows\System32\KERNELBASE.dll+25803|C:\Windows\System32\KERNEL32.DLL+169c0|C:\Users\Administrator\Downloads\procexp64.exe+a8288|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001952931Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:30.973{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-338D-6307-0100-000000007602}4System0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5d64|C:\Windows\System32\KERNELBASE.dll+25803|C:\Windows\System32\KERNEL32.DLL+169c0|C:\Users\Administrator\Downloads\procexp64.exe+a8288|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x80000000000000001952930Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:30.826{D25361F1-33B6-6307-7B00-000000007602}2184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BBD401BF5D7A258F3A4A17B715591986,SHA256=5BDA0090F530CC14C9DA13CC7AEBD3042EDD41030B85C1E3A1A0AD30E8DD2B9F,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001952929Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:28.841{D25361F1-33AF-6307-7100-000000007602}3892C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-854.attackrange.local64274-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x80000000000000001952928Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:30.125{D25361F1-33B6-6307-7B00-000000007602}2184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B98014DCB151338534C77A6113163B3E,SHA256=897DFAA653658245231F51D37E600ED6EC65495DAB2E7984E398FBF3A9B23FEC,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000662992Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-25 10:59:29.889{F6DB49F2-3390-6307-2100-000000007702}2032C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal51438-false10.0.1.12-8089- 23542300x8000000000000000662991Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-25 10:59:30.881{F6DB49F2-33A2-6307-6D00-000000007702}3760NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E39651C135BC0A3F6AB95B39980BEA82,SHA256=FCC4C4FAD045866F42FBACF6F2881A04A2C81965F27EA73D71CF1DA2C06E72C0,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000662990Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-25 10:59:30.662{F6DB49F2-5612-6307-CB04-000000007702}4120C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x8000000000000000662989Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-25 10:59:30.662{F6DB49F2-5612-6307-CB04-000000007702}41203212C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{F6DB49F2-3390-6307-2100-000000007702}2032C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000662988Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-25 10:59:30.662{F6DB49F2-5612-6307-CB04-000000007702}4120C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000662987Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-25 10:59:30.662{F6DB49F2-5612-6307-CB04-000000007702}4120C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x8000000000000000662986Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-25 10:59:30.546{F6DB49F2-5612-6307-CB04-000000007702}4120C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000662985Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-25 10:59:30.545{F6DB49F2-5612-6307-CB04-000000007702}4120C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000662984Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-25 10:59:30.545{F6DB49F2-5612-6307-CB04-000000007702}4120C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000662983Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-25 10:59:30.544{F6DB49F2-5612-6307-CB04-000000007702}4120C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000662982Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-25 10:59:30.543{F6DB49F2-5612-6307-CB04-000000007702}4120C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000662981Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-25 10:59:30.542{F6DB49F2-5612-6307-CB04-000000007702}4120C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000662980Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-25 10:59:30.542{F6DB49F2-5612-6307-CB04-000000007702}4120C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000662979Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-25 10:59:30.541{F6DB49F2-5612-6307-CB04-000000007702}4120C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000662978Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-25 10:59:30.535{F6DB49F2-5612-6307-CB04-000000007702}4120C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000662977Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-25 10:59:30.535{F6DB49F2-5612-6307-CB04-000000007702}4120C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000662976Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-25 10:59:30.535{F6DB49F2-5612-6307-CB04-000000007702}4120C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000662975Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-25 10:59:30.534{F6DB49F2-5612-6307-CB04-000000007702}4120C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000662974Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-25 10:59:30.534{F6DB49F2-5612-6307-CB04-000000007702}4120C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000662973Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-25 10:59:30.534{F6DB49F2-5612-6307-CB04-000000007702}4120C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000662972Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-25 10:59:30.533{F6DB49F2-5612-6307-CB04-000000007702}4120C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000662971Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-25 10:59:30.533{F6DB49F2-5612-6307-CB04-000000007702}4120C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000662970Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-25 10:59:30.533{F6DB49F2-5612-6307-CB04-000000007702}4120C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000662969Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-25 10:59:30.533{F6DB49F2-5612-6307-CB04-000000007702}4120C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000662968Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-25 10:59:30.533{F6DB49F2-5612-6307-CB04-000000007702}4120C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000662967Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-25 10:59:30.533{F6DB49F2-5612-6307-CB04-000000007702}4120C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000662966Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-25 10:59:30.533{F6DB49F2-5612-6307-CB04-000000007702}4120C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000662965Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-25 10:59:30.532{F6DB49F2-5612-6307-CB04-000000007702}4120C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000662964Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-25 10:59:30.532{F6DB49F2-5612-6307-CB04-000000007702}4120C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000662963Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-25 10:59:30.532{F6DB49F2-5612-6307-CB04-000000007702}4120C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000662962Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-25 10:59:30.532{F6DB49F2-5612-6307-CB04-000000007702}4120C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000662961Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-25 10:59:30.532{F6DB49F2-5612-6307-CB04-000000007702}4120C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000662960Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-25 10:59:30.532{F6DB49F2-5612-6307-CB04-000000007702}4120C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000662959Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-25 10:59:30.532{F6DB49F2-5612-6307-CB04-000000007702}4120C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000662958Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-25 10:59:30.532{F6DB49F2-5612-6307-CB04-000000007702}4120C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000662957Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-25 10:59:30.532{F6DB49F2-5612-6307-CB04-000000007702}4120C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000662956Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-25 10:59:30.531{F6DB49F2-5612-6307-CB04-000000007702}4120C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000662955Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-25 10:59:30.531{F6DB49F2-5612-6307-CB04-000000007702}4120C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000662954Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-25 10:59:30.531{F6DB49F2-5612-6307-CB04-000000007702}4120C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000662953Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-25 10:59:30.531{F6DB49F2-5612-6307-CB04-000000007702}4120C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000662952Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-25 10:59:30.531{F6DB49F2-5612-6307-CB04-000000007702}4120C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 10341000x8000000000000000662951Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-25 10:59:30.530{F6DB49F2-3391-6307-2B00-000000007702}28802900C:\Windows\system32\conhost.exe{F6DB49F2-5612-6307-CB04-000000007702}4120C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000662950Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-25 10:59:30.529{F6DB49F2-5612-6307-CB04-000000007702}4120C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000662949Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-25 10:59:30.529{F6DB49F2-5612-6307-CB04-000000007702}4120C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 10341000x8000000000000000662948Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-25 10:59:30.529{F6DB49F2-338F-6307-0C00-000000007702}7284948C:\Windows\system32\svchost.exe{F6DB49F2-3390-6307-1F00-000000007702}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000662947Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-25 10:59:30.529{F6DB49F2-5612-6307-CB04-000000007702}4120C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 10341000x8000000000000000662946Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-25 10:59:30.528{F6DB49F2-338F-6307-0C00-000000007702}7284948C:\Windows\system32\svchost.exe{F6DB49F2-3390-6307-1F00-000000007702}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000662945Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-25 10:59:30.528{F6DB49F2-338F-6307-0C00-000000007702}7284948C:\Windows\system32\svchost.exe{F6DB49F2-3390-6307-1F00-000000007702}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000662944Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-25 10:59:30.528{F6DB49F2-5612-6307-CB04-000000007702}4120C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9trueSplunk, Inc.Valid 10341000x8000000000000000662943Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-25 10:59:30.528{F6DB49F2-338F-6307-0C00-000000007702}7284948C:\Windows\system32\svchost.exe{F6DB49F2-3390-6307-1F00-000000007702}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000662942Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-25 10:59:30.528{F6DB49F2-338F-6307-0C00-000000007702}7284948C:\Windows\system32\svchost.exe{F6DB49F2-3390-6307-1F00-000000007702}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000662941Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-25 10:59:30.528{F6DB49F2-338F-6307-0C00-000000007702}7284948C:\Windows\system32\svchost.exe{F6DB49F2-3390-6307-1F00-000000007702}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000662940Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-25 10:59:30.528{F6DB49F2-338F-6307-0C00-000000007702}7284948C:\Windows\system32\svchost.exe{F6DB49F2-3390-6307-1F00-000000007702}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000662939Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-25 10:59:30.528{F6DB49F2-338F-6307-0C00-000000007702}7284948C:\Windows\system32\svchost.exe{F6DB49F2-3390-6307-1F00-000000007702}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000662938Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-25 10:59:30.528{F6DB49F2-338F-6307-0C00-000000007702}7284948C:\Windows\system32\svchost.exe{F6DB49F2-3390-6307-1F00-000000007702}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000662937Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-25 10:59:30.528{F6DB49F2-338F-6307-0500-000000007702}4164064C:\Windows\system32\csrss.exe{F6DB49F2-5612-6307-CB04-000000007702}4120C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000662936Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-25 10:59:30.527{F6DB49F2-3390-6307-2100-000000007702}20323172C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F6DB49F2-5612-6307-CB04-000000007702}4120C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000662935Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-25 10:59:30.524{F6DB49F2-5612-6307-CB04-000000007702}4120C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F6DB49F2-338F-6307-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{F6DB49F2-3390-6307-2100-000000007702}2032C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000662934Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-25 10:59:30.232{F6DB49F2-33A2-6307-6D00-000000007702}3760NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9029C88AF29DBCA94B7C0703165F9CEE,SHA256=644EDF14189F7FEE8D8FD0FF58865A88978DE45B43257ABB9A752CF757CA401B,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000662933Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-25 10:59:30.029{F6DB49F2-5611-6307-CA04-000000007702}4372C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000662932Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-25 10:59:30.029{F6DB49F2-5611-6307-CA04-000000007702}4372C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000662931Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-25 10:59:30.029{F6DB49F2-5611-6307-CA04-000000007702}4372C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 10341000x80000000000000001953045Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:31.988{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-35E0-6307-DE00-000000007602}5008C:\Windows\Explorer.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953044Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:31.988{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-35E0-6307-D600-000000007602}4472C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953043Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:31.988{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-35E0-6307-D300-000000007602}4392C:\Windows\System32\rdpclip.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953042Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:31.988{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-35DE-6307-D000-000000007602}3896C:\Windows\system32\dwm.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953041Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:31.988{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-35DD-6307-CE00-000000007602}764C:\Windows\system32\winlogon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953040Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:31.988{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-35DD-6307-CD00-000000007602}1324C:\Windows\system32\csrss.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5d64|C:\Windows\System32\KERNELBASE.dll+25803|C:\Windows\System32\KERNEL32.DLL+169c0|C:\Users\Administrator\Downloads\procexp64.exe+a8288|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953039Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:31.988{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-341E-6307-8900-000000007602}3136C:\Windows\System32\msdtc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953038Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:31.988{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33B6-6307-7B00-000000007602}2184C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953037Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:31.988{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33AF-6307-7100-000000007602}3892C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953036Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:31.988{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A5-6307-4500-000000007602}3548C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953035Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:31.988{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A5-6307-4100-000000007602}3460C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953034Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:31.988{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A4-6307-3A00-000000007602}3188C:\Windows\System32\vds.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953033Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:31.988{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A4-6307-3700-000000007602}3120C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953032Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:31.988{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A3-6307-3100-000000007602}2960C:\Windows\system32\wbem\unsecapp.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953031Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:31.988{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A3-6307-2F00-000000007602}2772C:\Windows\system32\DFSRs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953030Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:31.988{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A3-6307-2E00-000000007602}2764C:\Windows\system32\dfssvc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953029Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:31.988{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A3-6307-2D00-000000007602}2752C:\Windows\System32\ismserv.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953028Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:31.988{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A3-6307-2C00-000000007602}2604C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953027Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:31.988{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A3-6307-2B00-000000007602}2596C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953026Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:31.988{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A3-6307-2900-000000007602}2580C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953025Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:31.988{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A3-6307-2800-000000007602}2568C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953024Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:31.988{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A3-6307-2700-000000007602}2560C:\Windows\system32\dns.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953023Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:31.988{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A3-6307-2600-000000007602}2552C:\Windows\sysmon64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953022Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:31.988{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A3-6307-2500-000000007602}2476C:\Windows\System32\spoolsv.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953021Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:31.988{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-339C-6307-2300-000000007602}2332C:\Windows\System32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953020Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:31.988{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3393-6307-1D00-000000007602}2088C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953019Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:31.988{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3393-6307-1700-000000007602}1396C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953018Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:31.988{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3393-6307-1600-000000007602}1308C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953017Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:31.988{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3392-6307-1500-000000007602}1256C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953016Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:31.988{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3392-6307-1400-000000007602}1084C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953015Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:31.988{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3392-6307-1300-000000007602}928C:\Windows\system32\dwm.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953014Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:31.988{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3392-6307-1200-000000007602}484C:\Windows\System32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953013Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:31.988{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3392-6307-1100-000000007602}420C:\Windows\System32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953012Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:31.988{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3392-6307-1000-000000007602}440C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953011Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:31.988{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3392-6307-0F00-000000007602}108C:\Windows\System32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953010Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:31.988{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3392-6307-0E00-000000007602}996C:\Windows\system32\LogonUI.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953009Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:31.988{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3392-6307-0D00-000000007602}892C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953008Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:31.988{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3392-6307-0C00-000000007602}836C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953007Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:31.988{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3390-6307-0B00-000000007602}632C:\Windows\system32\lsass.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953006Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:31.988{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3390-6307-0A00-000000007602}624C:\Windows\system32\services.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5d64|C:\Windows\System32\KERNELBASE.dll+25803|C:\Windows\System32\KERNEL32.DLL+169c0|C:\Users\Administrator\Downloads\procexp64.exe+a8288|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953005Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:31.988{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3390-6307-0900-000000007602}572C:\Windows\system32\winlogon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953004Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:31.988{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3390-6307-0800-000000007602}496C:\Windows\system32\csrss.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5d64|C:\Windows\System32\KERNELBASE.dll+25803|C:\Windows\System32\KERNEL32.DLL+169c0|C:\Users\Administrator\Downloads\procexp64.exe+a8288|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953003Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:31.988{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3390-6307-0700-000000007602}488C:\Windows\system32\wininit.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5d64|C:\Windows\System32\KERNELBASE.dll+25803|C:\Windows\System32\KERNEL32.DLL+169c0|C:\Users\Administrator\Downloads\procexp64.exe+a8288|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953002Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:31.988{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3390-6307-0500-000000007602}416C:\Windows\system32\csrss.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5d64|C:\Windows\System32\KERNELBASE.dll+25803|C:\Windows\System32\KERNEL32.DLL+169c0|C:\Users\Administrator\Downloads\procexp64.exe+a8288|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953001Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:31.988{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-338D-6307-0200-000000007602}320C:\Windows\System32\smss.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5d64|C:\Windows\System32\KERNELBASE.dll+25803|C:\Windows\System32\KERNEL32.DLL+169c0|C:\Users\Administrator\Downloads\procexp64.exe+a8288|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953000Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:31.988{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-338D-6307-0100-000000007602}4System0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5d64|C:\Windows\System32\KERNELBASE.dll+25803|C:\Windows\System32\KERNEL32.DLL+169c0|C:\Users\Administrator\Downloads\procexp64.exe+a8288|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x80000000000000001952999Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:31.851{D25361F1-33B6-6307-7B00-000000007602}2184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=211AC4D56ED472E1549108FA818B4BAE,SHA256=74F852E0FD60DB00E85B47711B05DE4A6AB67B4DC2A42C8EFC7A02B1DA3E3483,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001952998Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:31.190{D25361F1-33B6-6307-7B00-000000007602}2184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B84CED5E462B7FEB1847698F54A06CB5,SHA256=B1943D0430A24FAB8F878ABB7D3297C71DF8B3292EC0B9E497E19C93B1CBA71F,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000663106Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-25 10:59:31.888{F6DB49F2-5613-6307-CD04-000000007702}4116C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x8000000000000000663105Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-25 10:59:31.888{F6DB49F2-5613-6307-CD04-000000007702}41164728C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{F6DB49F2-3390-6307-2100-000000007702}2032C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000663104Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-25 10:59:31.888{F6DB49F2-5613-6307-CD04-000000007702}4116C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000663103Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-25 10:59:31.888{F6DB49F2-5613-6307-CD04-000000007702}4116C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 23542300x8000000000000000663102Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-25 10:59:31.856{F6DB49F2-33A2-6307-6D00-000000007702}3760NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F176AECF06015DCB60E2005FD555B5CF,SHA256=9BF31E5D8AAFF7674CB1FA22D5BC09C60F85D72042670EE3604A1588E02A11B9,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000663101Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-25 10:59:31.747{F6DB49F2-5613-6307-CD04-000000007702}4116C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000663100Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-25 10:59:31.747{F6DB49F2-5613-6307-CD04-000000007702}4116C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000663099Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-25 10:59:31.731{F6DB49F2-5613-6307-CD04-000000007702}4116C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000663098Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-25 10:59:31.731{F6DB49F2-5613-6307-CD04-000000007702}4116C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000663097Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-25 10:59:31.731{F6DB49F2-5613-6307-CD04-000000007702}4116C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000663096Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-25 10:59:31.731{F6DB49F2-5613-6307-CD04-000000007702}4116C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000663095Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-25 10:59:31.731{F6DB49F2-5613-6307-CD04-000000007702}4116C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000663094Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-25 10:59:31.731{F6DB49F2-5613-6307-CD04-000000007702}4116C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000663093Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-25 10:59:31.731{F6DB49F2-5613-6307-CD04-000000007702}4116C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000663092Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-25 10:59:31.731{F6DB49F2-5613-6307-CD04-000000007702}4116C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000663091Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-25 10:59:31.731{F6DB49F2-5613-6307-CD04-000000007702}4116C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000663090Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-25 10:59:31.731{F6DB49F2-5613-6307-CD04-000000007702}4116C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000663089Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-25 10:59:31.731{F6DB49F2-5613-6307-CD04-000000007702}4116C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000663088Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-25 10:59:31.731{F6DB49F2-5613-6307-CD04-000000007702}4116C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000663087Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-25 10:59:31.716{F6DB49F2-5613-6307-CD04-000000007702}4116C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000663086Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-25 10:59:31.716{F6DB49F2-5613-6307-CD04-000000007702}4116C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000663085Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-25 10:59:31.716{F6DB49F2-5613-6307-CD04-000000007702}4116C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000663084Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-25 10:59:31.716{F6DB49F2-5613-6307-CD04-000000007702}4116C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000663083Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-25 10:59:31.716{F6DB49F2-5613-6307-CD04-000000007702}4116C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000663082Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-25 10:59:31.716{F6DB49F2-5613-6307-CD04-000000007702}4116C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000663081Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-25 10:59:31.716{F6DB49F2-5613-6307-CD04-000000007702}4116C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000663080Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-25 10:59:31.716{F6DB49F2-5613-6307-CD04-000000007702}4116C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000663079Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-25 10:59:31.716{F6DB49F2-5613-6307-CD04-000000007702}4116C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000663078Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-25 10:59:31.716{F6DB49F2-5613-6307-CD04-000000007702}4116C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000663077Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-25 10:59:31.716{F6DB49F2-5613-6307-CD04-000000007702}4116C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000663076Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-25 10:59:31.716{F6DB49F2-5613-6307-CD04-000000007702}4116C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000663075Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-25 10:59:31.716{F6DB49F2-5613-6307-CD04-000000007702}4116C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000663074Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-25 10:59:31.716{F6DB49F2-5613-6307-CD04-000000007702}4116C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000663073Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-25 10:59:31.716{F6DB49F2-5613-6307-CD04-000000007702}4116C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000663072Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-25 10:59:31.716{F6DB49F2-5613-6307-CD04-000000007702}4116C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000663071Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-25 10:59:31.716{F6DB49F2-5613-6307-CD04-000000007702}4116C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000663070Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-25 10:59:31.716{F6DB49F2-5613-6307-CD04-000000007702}4116C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000663069Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-25 10:59:31.716{F6DB49F2-5613-6307-CD04-000000007702}4116C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000663068Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-25 10:59:31.716{F6DB49F2-5613-6307-CD04-000000007702}4116C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000663067Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-25 10:59:31.716{F6DB49F2-5613-6307-CD04-000000007702}4116C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 10341000x8000000000000000663066Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-25 10:59:31.716{F6DB49F2-3391-6307-2B00-000000007702}28802900C:\Windows\system32\conhost.exe{F6DB49F2-5613-6307-CD04-000000007702}4116C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000663065Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-25 10:59:31.716{F6DB49F2-5613-6307-CD04-000000007702}4116C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000663064Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-25 10:59:31.716{F6DB49F2-5613-6307-CD04-000000007702}4116C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000663063Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-25 10:59:31.716{F6DB49F2-5613-6307-CD04-000000007702}4116C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000663062Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-25 10:59:31.716{F6DB49F2-5613-6307-CD04-000000007702}4116C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9trueSplunk, Inc.Valid 10341000x8000000000000000663061Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-25 10:59:31.716{F6DB49F2-338F-6307-0C00-000000007702}7284948C:\Windows\system32\svchost.exe{F6DB49F2-3390-6307-1F00-000000007702}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000663060Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-25 10:59:31.716{F6DB49F2-338F-6307-0C00-000000007702}7284948C:\Windows\system32\svchost.exe{F6DB49F2-3390-6307-1F00-000000007702}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000663059Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-25 10:59:31.716{F6DB49F2-338F-6307-0C00-000000007702}7284948C:\Windows\system32\svchost.exe{F6DB49F2-3390-6307-1F00-000000007702}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000663058Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-25 10:59:31.716{F6DB49F2-338F-6307-0C00-000000007702}7284948C:\Windows\system32\svchost.exe{F6DB49F2-3390-6307-1F00-000000007702}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000663057Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-25 10:59:31.716{F6DB49F2-338F-6307-0C00-000000007702}7284948C:\Windows\system32\svchost.exe{F6DB49F2-3390-6307-1F00-000000007702}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000663056Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-25 10:59:31.716{F6DB49F2-338F-6307-0C00-000000007702}7284948C:\Windows\system32\svchost.exe{F6DB49F2-3390-6307-1F00-000000007702}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000663055Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-25 10:59:31.716{F6DB49F2-338F-6307-0C00-000000007702}7284948C:\Windows\system32\svchost.exe{F6DB49F2-3390-6307-1F00-000000007702}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000663054Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-25 10:59:31.716{F6DB49F2-338F-6307-0C00-000000007702}7284948C:\Windows\system32\svchost.exe{F6DB49F2-3390-6307-1F00-000000007702}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000663053Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-25 10:59:31.716{F6DB49F2-338F-6307-0500-000000007702}4164064C:\Windows\system32\csrss.exe{F6DB49F2-5613-6307-CD04-000000007702}4116C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000663052Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-25 10:59:31.716{F6DB49F2-338F-6307-0C00-000000007702}7284948C:\Windows\system32\svchost.exe{F6DB49F2-3390-6307-1F00-000000007702}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000663051Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-25 10:59:31.716{F6DB49F2-3390-6307-2100-000000007702}20323172C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F6DB49F2-5613-6307-CD04-000000007702}4116C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000663050Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-25 10:59:31.717{F6DB49F2-5613-6307-CD04-000000007702}4116C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{F6DB49F2-338F-6307-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{F6DB49F2-3390-6307-2100-000000007702}2032C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000663049Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-25 10:59:31.256{F6DB49F2-5613-6307-CC04-000000007702}46363920C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{F6DB49F2-3390-6307-2100-000000007702}2032C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000663048Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-25 10:59:31.256{F6DB49F2-5613-6307-CC04-000000007702}4636C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000663047Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-25 10:59:31.256{F6DB49F2-5613-6307-CC04-000000007702}4636C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x8000000000000000663046Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-25 10:59:31.115{F6DB49F2-5613-6307-CC04-000000007702}4636C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000663045Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-25 10:59:31.115{F6DB49F2-5613-6307-CC04-000000007702}4636C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000663044Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-25 10:59:31.115{F6DB49F2-5613-6307-CC04-000000007702}4636C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000663043Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-25 10:59:31.115{F6DB49F2-5613-6307-CC04-000000007702}4636C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000663042Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-25 10:59:31.115{F6DB49F2-5613-6307-CC04-000000007702}4636C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000663041Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-25 10:59:31.115{F6DB49F2-5613-6307-CC04-000000007702}4636C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000663040Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-25 10:59:31.115{F6DB49F2-5613-6307-CC04-000000007702}4636C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000663039Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-25 10:59:31.115{F6DB49F2-5613-6307-CC04-000000007702}4636C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000663038Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-25 10:59:31.115{F6DB49F2-5613-6307-CC04-000000007702}4636C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000663037Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-25 10:59:31.115{F6DB49F2-5613-6307-CC04-000000007702}4636C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000663036Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-25 10:59:31.115{F6DB49F2-5613-6307-CC04-000000007702}4636C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000663035Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-25 10:59:31.115{F6DB49F2-5613-6307-CC04-000000007702}4636C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000663034Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-25 10:59:31.115{F6DB49F2-5613-6307-CC04-000000007702}4636C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000663033Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-25 10:59:31.115{F6DB49F2-5613-6307-CC04-000000007702}4636C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000663032Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-25 10:59:31.115{F6DB49F2-5613-6307-CC04-000000007702}4636C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000663031Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-25 10:59:31.115{F6DB49F2-5613-6307-CC04-000000007702}4636C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000663030Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-25 10:59:31.115{F6DB49F2-5613-6307-CC04-000000007702}4636C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000663029Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-25 10:59:31.115{F6DB49F2-5613-6307-CC04-000000007702}4636C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000663028Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-25 10:59:31.115{F6DB49F2-5613-6307-CC04-000000007702}4636C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000663027Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-25 10:59:31.115{F6DB49F2-5613-6307-CC04-000000007702}4636C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000663026Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-25 10:59:31.115{F6DB49F2-5613-6307-CC04-000000007702}4636C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000663025Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-25 10:59:31.100{F6DB49F2-5613-6307-CC04-000000007702}4636C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000663024Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-25 10:59:31.100{F6DB49F2-5613-6307-CC04-000000007702}4636C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000663023Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-25 10:59:31.100{F6DB49F2-5613-6307-CC04-000000007702}4636C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 734700x8000000000000000663022Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-25 10:59:31.100{F6DB49F2-5613-6307-CC04-000000007702}4636C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000663021Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-25 10:59:31.100{F6DB49F2-5613-6307-CC04-000000007702}4636C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000663020Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-25 10:59:31.100{F6DB49F2-5613-6307-CC04-000000007702}4636C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000663019Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-25 10:59:31.100{F6DB49F2-5613-6307-CC04-000000007702}4636C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000663018Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-25 10:59:31.100{F6DB49F2-5613-6307-CC04-000000007702}4636C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000663017Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-25 10:59:31.100{F6DB49F2-5613-6307-CC04-000000007702}4636C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000663016Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-25 10:59:31.100{F6DB49F2-5613-6307-CC04-000000007702}4636C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000663015Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-25 10:59:31.100{F6DB49F2-5613-6307-CC04-000000007702}4636C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000663014Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-25 10:59:31.100{F6DB49F2-5613-6307-CC04-000000007702}4636C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000663013Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-25 10:59:31.100{F6DB49F2-5613-6307-CC04-000000007702}4636C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000663012Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-25 10:59:31.100{F6DB49F2-5613-6307-CC04-000000007702}4636C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000663011Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-25 10:59:31.100{F6DB49F2-5613-6307-CC04-000000007702}4636C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 10341000x8000000000000000663010Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-25 10:59:31.100{F6DB49F2-3391-6307-2B00-000000007702}28802900C:\Windows\system32\conhost.exe{F6DB49F2-5613-6307-CC04-000000007702}4636C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000663009Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-25 10:59:31.100{F6DB49F2-5613-6307-CC04-000000007702}4636C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000663008Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-25 10:59:31.100{F6DB49F2-5613-6307-CC04-000000007702}4636C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000663007Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-25 10:59:31.100{F6DB49F2-5613-6307-CC04-000000007702}4636C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000663006Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-25 10:59:31.100{F6DB49F2-5613-6307-CC04-000000007702}4636C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exeMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2trueSplunk, Inc.Valid 10341000x8000000000000000663005Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-25 10:59:31.100{F6DB49F2-338F-6307-0C00-000000007702}7284948C:\Windows\system32\svchost.exe{F6DB49F2-3390-6307-1F00-000000007702}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000663004Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-25 10:59:31.100{F6DB49F2-338F-6307-0C00-000000007702}7284948C:\Windows\system32\svchost.exe{F6DB49F2-3390-6307-1F00-000000007702}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000663003Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-25 10:59:31.100{F6DB49F2-338F-6307-0C00-000000007702}7284948C:\Windows\system32\svchost.exe{F6DB49F2-3390-6307-1F00-000000007702}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000663002Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-25 10:59:31.100{F6DB49F2-338F-6307-0C00-000000007702}7284948C:\Windows\system32\svchost.exe{F6DB49F2-3390-6307-1F00-000000007702}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000663001Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-25 10:59:31.100{F6DB49F2-338F-6307-0C00-000000007702}7284948C:\Windows\system32\svchost.exe{F6DB49F2-3390-6307-1F00-000000007702}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000663000Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-25 10:59:31.100{F6DB49F2-338F-6307-0C00-000000007702}7284948C:\Windows\system32\svchost.exe{F6DB49F2-3390-6307-1F00-000000007702}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000662999Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-25 10:59:31.100{F6DB49F2-338F-6307-0C00-000000007702}7284948C:\Windows\system32\svchost.exe{F6DB49F2-3390-6307-1F00-000000007702}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000662998Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-25 10:59:31.100{F6DB49F2-338F-6307-0C00-000000007702}7284948C:\Windows\system32\svchost.exe{F6DB49F2-3390-6307-1F00-000000007702}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000662997Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-25 10:59:31.100{F6DB49F2-338F-6307-0C00-000000007702}7284948C:\Windows\system32\svchost.exe{F6DB49F2-3390-6307-1F00-000000007702}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000662996Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-25 10:59:31.100{F6DB49F2-338F-6307-0500-000000007702}4163384C:\Windows\system32\csrss.exe{F6DB49F2-5613-6307-CC04-000000007702}4636C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000662995Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-25 10:59:31.100{F6DB49F2-3390-6307-2100-000000007702}20323172C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F6DB49F2-5613-6307-CC04-000000007702}4636C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000662994Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-25 10:59:31.101{F6DB49F2-5613-6307-CC04-000000007702}4636C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F6DB49F2-338F-6307-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{F6DB49F2-3390-6307-2100-000000007702}2032C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000662993Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-25 10:59:31.053{F6DB49F2-33A2-6307-6D00-000000007702}3760NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A0034BD684E5E6369E2112BC6FE4597F,SHA256=A155746EC78FB1788641A676A4EE371D7455A72442354DB62DBA4B9A8FD85AA8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000663169Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-25 10:59:32.565{F6DB49F2-33A2-6307-6D00-000000007702}3760NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B0D323730A2DED615702622497F8B8A6,SHA256=3BC5279AC28BBA381641F43B26A833D3CDC226604C980E7FBFA01F1B4662152D,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000663168Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-25 10:59:32.388{F6DB49F2-5614-6307-CE04-000000007702}4696C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000663167Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-25 10:59:32.388{F6DB49F2-5614-6307-CE04-000000007702}4696C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000663166Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-25 10:59:32.388{F6DB49F2-5614-6307-CE04-000000007702}4696C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 23542300x80000000000000001953068Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:32.988{D25361F1-33B6-6307-7B00-000000007602}2184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A7B29731B00F2829CAFE5E0BAE0B92DC,SHA256=E7100D2556C13FF2DBDB17146F28443EDBA1C01E30D014B771F6F2F5339041B8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001953067Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:32.322{D25361F1-33B6-6307-7B00-000000007602}2184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CB2DD0450CCAEC723571243B7FCB6F11,SHA256=F5D46065CC96B0DE9A1C2CBF4624AC7C90723C2B4F0314E49A715D846B736FF1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001953066Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:32.004{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-52AD-6307-E404-000000007602}7476C:\Windows\SYSTEM32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953065Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:32.004{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-4AD7-6307-F503-000000007602}6996C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953064Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:31.988{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-4AD1-6307-F403-000000007602}7488C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953063Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:31.988{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-4AD0-6307-F303-000000007602}9620C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953062Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:31.988{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-4AB4-6307-EB03-000000007602}6088C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953061Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:31.988{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-4A8F-6307-EA03-000000007602}6404C:\Windows\system32\wbem\wmiprvse.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953060Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:31.988{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-49F6-6307-CD03-000000007602}7868C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953059Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:31.988{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-436A-6307-0703-000000007602}6260C:\Program Files\IDA Freeware 8.0\ida64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953058Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:31.988{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-4210-6307-D702-000000007602}7048C:\Windows\System32\win32calc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953057Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:31.988{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-37A5-6307-3901-000000007602}6588C:\Windows\ImmersiveControlPanel\SystemSettings.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953056Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:31.988{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-37A2-6307-3301-000000007602}5680C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953055Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:31.988{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-37A2-6307-3201-000000007602}3700C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953054Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:31.988{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-37A1-6307-3101-000000007602}4360C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953053Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:31.988{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-37A1-6307-3001-000000007602}5144C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953052Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:31.988{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-37A0-6307-2F01-000000007602}4596C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953051Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:31.988{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-361E-6307-FB00-000000007602}6112C:\Users\Administrator\Downloads\Procmon64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953050Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:31.988{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-35FB-6307-F000-000000007602}4288C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953049Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:31.988{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-35FB-6307-EF00-000000007602}4276C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953048Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:31.988{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-35E9-6307-E200-000000007602}5316C:\Program Files\Aurora-Agent\aurora-agent.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953047Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:31.988{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-35E2-6307-E000-000000007602}4860C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953046Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:31.988{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-35E2-6307-DF00-000000007602}4184C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000663165Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-25 10:59:32.231{F6DB49F2-5614-6307-CE04-000000007702}4696C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000663164Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-25 10:59:32.231{F6DB49F2-5614-6307-CE04-000000007702}4696C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000663163Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-25 10:59:32.231{F6DB49F2-5614-6307-CE04-000000007702}4696C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000663162Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-25 10:59:32.231{F6DB49F2-5614-6307-CE04-000000007702}4696C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000663161Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-25 10:59:32.231{F6DB49F2-5614-6307-CE04-000000007702}4696C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000663160Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-25 10:59:32.231{F6DB49F2-5614-6307-CE04-000000007702}4696C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000663159Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-25 10:59:32.231{F6DB49F2-5614-6307-CE04-000000007702}4696C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000663158Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-25 10:59:32.231{F6DB49F2-5614-6307-CE04-000000007702}4696C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000663157Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-25 10:59:32.231{F6DB49F2-5614-6307-CE04-000000007702}4696C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sspicli.dll10.0.14393.5006 (rs1_release.220301-1704)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=F0258C58C8DC45AF9B5AAF9BA49E0C53,SHA256=8E1EAA39742CC0E97D615229E9C13C8447B8D115B4678A1F03BE3E8E20345521,IMPHASH=4B1C9487A6420C18F688F0EC5BEB6F33trueMicrosoft WindowsValid 734700x8000000000000000663156Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-25 10:59:32.231{F6DB49F2-5614-6307-CE04-000000007702}4696C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000663155Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-25 10:59:32.231{F6DB49F2-5614-6307-CE04-000000007702}4696C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000663154Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-25 10:59:32.216{F6DB49F2-5614-6307-CE04-000000007702}4696C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000663153Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-25 10:59:32.216{F6DB49F2-5614-6307-CE04-000000007702}4696C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000663152Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-25 10:59:32.216{F6DB49F2-5614-6307-CE04-000000007702}4696C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000663151Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-25 10:59:32.216{F6DB49F2-5614-6307-CE04-000000007702}4696C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000663150Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-25 10:59:32.216{F6DB49F2-5614-6307-CE04-000000007702}4696C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000663149Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-25 10:59:32.216{F6DB49F2-5614-6307-CE04-000000007702}4696C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000663148Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-25 10:59:32.216{F6DB49F2-5614-6307-CE04-000000007702}4696C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000663147Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-25 10:59:32.216{F6DB49F2-5614-6307-CE04-000000007702}4696C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000663146Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-25 10:59:32.216{F6DB49F2-5614-6307-CE04-000000007702}4696C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000663145Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-25 10:59:32.216{F6DB49F2-5614-6307-CE04-000000007702}4696C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000663144Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-25 10:59:32.216{F6DB49F2-5614-6307-CE04-000000007702}4696C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000663143Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-25 10:59:32.216{F6DB49F2-5614-6307-CE04-000000007702}4696C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000663142Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-25 10:59:32.216{F6DB49F2-5614-6307-CE04-000000007702}4696C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000663141Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-25 10:59:32.216{F6DB49F2-5614-6307-CE04-000000007702}4696C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000663140Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-25 10:59:32.216{F6DB49F2-5614-6307-CE04-000000007702}4696C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000663139Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-25 10:59:32.216{F6DB49F2-5614-6307-CE04-000000007702}4696C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000663138Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-25 10:59:32.216{F6DB49F2-5614-6307-CE04-000000007702}4696C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000663137Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-25 10:59:32.216{F6DB49F2-5614-6307-CE04-000000007702}4696C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000663136Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-25 10:59:32.216{F6DB49F2-5614-6307-CE04-000000007702}4696C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000663135Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-25 10:59:32.216{F6DB49F2-5614-6307-CE04-000000007702}4696C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\nsi.dll10.0.14393.3297 (rs1_release_1.191001-1045)NSI User-mode interface DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationnsi.dllMD5=994E2A6D2A0B38E0968B3998E42033AC,SHA256=491F2D1DE09C39B324BCF5800198AC7CCE755F4023F1FEB3854D33716461BC27,IMPHASH=B01B7830101BC0D5FBDE4FFE2B170CF7trueMicrosoft WindowsValid 734700x8000000000000000663134Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-25 10:59:32.216{F6DB49F2-5614-6307-CE04-000000007702}4696C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000663133Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-25 10:59:32.216{F6DB49F2-5614-6307-CE04-000000007702}4696C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000663132Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-25 10:59:32.216{F6DB49F2-5614-6307-CE04-000000007702}4696C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dnsapi.dll10.0.14393.4350 (rs1_release.210407-2154)DNS Client API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationdnsapiMD5=D7651F99299B13D576A72643BFC44944,SHA256=589302E630C473DBDF4CE92C59F00B029FCA0C228E7111A764166E16025FA1A9,IMPHASH=3C043C6FF0F62DAEB8819606F79C5ECCtrueMicrosoft WindowsValid 734700x8000000000000000663131Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-25 10:59:32.216{F6DB49F2-5614-6307-CE04-000000007702}4696C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\IPHLPAPI.DLL10.0.14393.2339 (rs1_release_inmarket.180611-1502)IP Helper APIMicrosoft® Windows® Operating SystemMicrosoft Corporationiphlpapi.dllMD5=3CD38EDF9CA12F91131EDEE32D1C9DF5,SHA256=AF2440640BF8BDEAAF0DECDD7C354158E415ED0AA340ABA7A6CCCDC09C1E728B,IMPHASH=98738BA55485CCA932F6D222F47FFC55trueMicrosoft WindowsValid 734700x8000000000000000663130Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-25 10:59:32.216{F6DB49F2-5614-6307-CE04-000000007702}4696C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5,IMPHASH=0D8FF9DE2DA5C07D680347B1A098E759trueMicrosoft WindowsValid 734700x8000000000000000663129Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-25 10:59:32.216{F6DB49F2-5614-6307-CE04-000000007702}4696C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 734700x8000000000000000663128Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-25 10:59:32.216{F6DB49F2-5614-6307-CE04-000000007702}4696C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000663127Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-25 10:59:32.216{F6DB49F2-5614-6307-CE04-000000007702}4696C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000663126Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-25 10:59:32.216{F6DB49F2-5614-6307-CE04-000000007702}4696C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 10341000x8000000000000000663125Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-25 10:59:32.216{F6DB49F2-3391-6307-2B00-000000007702}28802900C:\Windows\system32\conhost.exe{F6DB49F2-5614-6307-CE04-000000007702}4696C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000663124Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-25 10:59:32.216{F6DB49F2-5614-6307-CE04-000000007702}4696C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 10341000x8000000000000000663123Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-25 10:59:32.216{F6DB49F2-338F-6307-0C00-000000007702}7284948C:\Windows\system32\svchost.exe{F6DB49F2-3390-6307-1F00-000000007702}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000663122Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-25 10:59:32.216{F6DB49F2-338F-6307-0C00-000000007702}7284948C:\Windows\system32\svchost.exe{F6DB49F2-3390-6307-1F00-000000007702}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000663121Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-25 10:59:32.216{F6DB49F2-5614-6307-CE04-000000007702}4696C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 10341000x8000000000000000663120Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-25 10:59:32.216{F6DB49F2-338F-6307-0C00-000000007702}7284948C:\Windows\system32\svchost.exe{F6DB49F2-3390-6307-1F00-000000007702}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000663119Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-25 10:59:32.216{F6DB49F2-338F-6307-0C00-000000007702}7284948C:\Windows\system32\svchost.exe{F6DB49F2-3390-6307-1F00-000000007702}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000663118Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-25 10:59:32.216{F6DB49F2-5614-6307-CE04-000000007702}4696C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 10341000x8000000000000000663117Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-25 10:59:32.216{F6DB49F2-338F-6307-0C00-000000007702}7284948C:\Windows\system32\svchost.exe{F6DB49F2-3390-6307-1F00-000000007702}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000663116Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-25 10:59:32.216{F6DB49F2-338F-6307-0C00-000000007702}7284948C:\Windows\system32\svchost.exe{F6DB49F2-3390-6307-1F00-000000007702}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000663115Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-25 10:59:32.216{F6DB49F2-5614-6307-CE04-000000007702}4696C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exeMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52trueSplunk, Inc.Valid 10341000x8000000000000000663114Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-25 10:59:32.216{F6DB49F2-338F-6307-0C00-000000007702}7284948C:\Windows\system32\svchost.exe{F6DB49F2-3390-6307-1F00-000000007702}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000663113Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-25 10:59:32.216{F6DB49F2-338F-6307-0C00-000000007702}7284948C:\Windows\system32\svchost.exe{F6DB49F2-3390-6307-1F00-000000007702}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000663112Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-25 10:59:32.216{F6DB49F2-338F-6307-0C00-000000007702}7284948C:\Windows\system32\svchost.exe{F6DB49F2-3390-6307-1F00-000000007702}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000663111Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-25 10:59:32.216{F6DB49F2-338F-6307-0500-000000007702}4164064C:\Windows\system32\csrss.exe{F6DB49F2-5614-6307-CE04-000000007702}4696C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000663110Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-25 10:59:32.216{F6DB49F2-3390-6307-2100-000000007702}20323172C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F6DB49F2-5614-6307-CE04-000000007702}4696C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000663109Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-25 10:59:32.219{F6DB49F2-5614-6307-CE04-000000007702}4696C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F6DB49F2-338F-6307-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{F6DB49F2-3390-6307-2100-000000007702}2032C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000663108Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-25 10:59:32.216{F6DB49F2-33A2-6307-6D00-000000007702}3760NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CAA3D4B35C3F3E6F35D5C2E29D2A7930,SHA256=A8533482AAC9BB1BC78409563F969E5F8A38E75FB4F5F6C1BB6A1B716AAB8699,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000663107Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-25 10:59:30.358{F6DB49F2-339B-6307-6200-000000007702}3336C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal51439-false10.0.1.12-8000- 23542300x8000000000000000663170Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-25 10:59:33.279{F6DB49F2-33A2-6307-6D00-000000007702}3760NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B8FE577434CF75317A71D83BFEA2800A,SHA256=A847BA98D15C799F460AACA4EF4100971D4D51B5ABF4B00E81E8BD70C905C7C3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001953137Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:33.456{D25361F1-33B6-6307-7B00-000000007602}2184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AB8217C1EAF7FAD6FF954CF6CF6DA522,SHA256=EDDFD071D915872AF633A8DF898356CDD253936C654C687857BFB6AE0C259FC8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001953136Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:33.072{D25361F1-33B6-6307-7B00-000000007602}2184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=25F98AEF30996B11A00880732604FFCC,SHA256=77E4CD6DF807F4BE8465A1F4B3F03B4A920DA68DF2286740C186741D79334AA3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001953135Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:33.025{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-52AD-6307-E404-000000007602}7476C:\Windows\SYSTEM32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953134Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:33.025{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-4AD7-6307-F503-000000007602}6996C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953133Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:33.025{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-4AD1-6307-F403-000000007602}7488C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953132Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:33.025{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-4AD0-6307-F303-000000007602}9620C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953131Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:33.025{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-4AB4-6307-EB03-000000007602}6088C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953130Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:33.025{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-4A8F-6307-EA03-000000007602}6404C:\Windows\system32\wbem\wmiprvse.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953129Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:33.025{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-49F6-6307-CD03-000000007602}7868C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953128Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:33.025{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-436A-6307-0703-000000007602}6260C:\Program Files\IDA Freeware 8.0\ida64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953127Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:33.025{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-4210-6307-D702-000000007602}7048C:\Windows\System32\win32calc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953126Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:33.025{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-37A5-6307-3901-000000007602}6588C:\Windows\ImmersiveControlPanel\SystemSettings.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953125Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:33.025{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-37A2-6307-3301-000000007602}5680C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953124Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:33.025{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-37A2-6307-3201-000000007602}3700C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953123Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:33.025{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-37A1-6307-3101-000000007602}4360C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953122Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:33.025{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-37A1-6307-3001-000000007602}5144C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953121Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:33.025{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-37A0-6307-2F01-000000007602}4596C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953120Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:33.025{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-361E-6307-FB00-000000007602}6112C:\Users\Administrator\Downloads\Procmon64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953119Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:33.025{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-35FB-6307-F000-000000007602}4288C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953118Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:33.025{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-35FB-6307-EF00-000000007602}4276C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953117Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:33.025{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-35E9-6307-E200-000000007602}5316C:\Program Files\Aurora-Agent\aurora-agent.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953116Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:33.025{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-35E2-6307-E000-000000007602}4860C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953115Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:33.025{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-35E2-6307-DF00-000000007602}4184C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953114Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:33.025{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-35E0-6307-DE00-000000007602}5008C:\Windows\Explorer.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953113Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:33.025{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-35E0-6307-D600-000000007602}4472C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953112Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:33.025{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-35E0-6307-D300-000000007602}4392C:\Windows\System32\rdpclip.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953111Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:33.025{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-35DE-6307-D000-000000007602}3896C:\Windows\system32\dwm.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953110Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:33.025{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-35DD-6307-CE00-000000007602}764C:\Windows\system32\winlogon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953109Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:33.025{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-35DD-6307-CD00-000000007602}1324C:\Windows\system32\csrss.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5d64|C:\Windows\System32\KERNELBASE.dll+25803|C:\Windows\System32\KERNEL32.DLL+169c0|C:\Users\Administrator\Downloads\procexp64.exe+a8288|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953108Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:33.025{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-341E-6307-8900-000000007602}3136C:\Windows\System32\msdtc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953107Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:33.025{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33B6-6307-7B00-000000007602}2184C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953106Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:33.025{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33AF-6307-7100-000000007602}3892C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953105Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:33.025{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A5-6307-4500-000000007602}3548C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953104Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:33.025{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A5-6307-4100-000000007602}3460C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953103Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:33.025{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A4-6307-3A00-000000007602}3188C:\Windows\System32\vds.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953102Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:33.025{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A4-6307-3700-000000007602}3120C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953101Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:33.025{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A3-6307-3100-000000007602}2960C:\Windows\system32\wbem\unsecapp.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953100Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:33.025{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A3-6307-2F00-000000007602}2772C:\Windows\system32\DFSRs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953099Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:33.025{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A3-6307-2E00-000000007602}2764C:\Windows\system32\dfssvc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953098Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:33.025{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A3-6307-2D00-000000007602}2752C:\Windows\System32\ismserv.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953097Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:33.025{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A3-6307-2C00-000000007602}2604C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953096Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:33.025{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A3-6307-2B00-000000007602}2596C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953095Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:33.025{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A3-6307-2900-000000007602}2580C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953094Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:33.024{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A3-6307-2800-000000007602}2568C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953093Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:33.024{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A3-6307-2700-000000007602}2560C:\Windows\system32\dns.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953092Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:33.024{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A3-6307-2600-000000007602}2552C:\Windows\sysmon64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953091Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:33.024{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A3-6307-2500-000000007602}2476C:\Windows\System32\spoolsv.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953090Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:33.024{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-339C-6307-2300-000000007602}2332C:\Windows\System32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953089Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:33.023{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3393-6307-1D00-000000007602}2088C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953088Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:33.023{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3393-6307-1700-000000007602}1396C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953087Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:33.023{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3393-6307-1600-000000007602}1308C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953086Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:33.023{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3392-6307-1500-000000007602}1256C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953085Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:33.023{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3392-6307-1400-000000007602}1084C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953084Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:33.023{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3392-6307-1300-000000007602}928C:\Windows\system32\dwm.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953083Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:33.023{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3392-6307-1200-000000007602}484C:\Windows\System32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953082Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:33.023{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3392-6307-1100-000000007602}420C:\Windows\System32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953081Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:33.023{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3392-6307-1000-000000007602}440C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953080Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:33.023{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3392-6307-0F00-000000007602}108C:\Windows\System32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953079Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:33.022{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3392-6307-0E00-000000007602}996C:\Windows\system32\LogonUI.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953078Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:33.022{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3392-6307-0D00-000000007602}892C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953077Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:33.022{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3392-6307-0C00-000000007602}836C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953076Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:33.022{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3390-6307-0B00-000000007602}632C:\Windows\system32\lsass.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953075Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:33.022{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3390-6307-0A00-000000007602}624C:\Windows\system32\services.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5d64|C:\Windows\System32\KERNELBASE.dll+25803|C:\Windows\System32\KERNEL32.DLL+169c0|C:\Users\Administrator\Downloads\procexp64.exe+a8288|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953074Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:33.021{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3390-6307-0900-000000007602}572C:\Windows\system32\winlogon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953073Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:33.021{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3390-6307-0800-000000007602}496C:\Windows\system32\csrss.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5d64|C:\Windows\System32\KERNELBASE.dll+25803|C:\Windows\System32\KERNEL32.DLL+169c0|C:\Users\Administrator\Downloads\procexp64.exe+a8288|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953072Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:33.021{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3390-6307-0700-000000007602}488C:\Windows\system32\wininit.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5d64|C:\Windows\System32\KERNELBASE.dll+25803|C:\Windows\System32\KERNEL32.DLL+169c0|C:\Users\Administrator\Downloads\procexp64.exe+a8288|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953071Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:33.021{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3390-6307-0500-000000007602}416C:\Windows\system32\csrss.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5d64|C:\Windows\System32\KERNELBASE.dll+25803|C:\Windows\System32\KERNEL32.DLL+169c0|C:\Users\Administrator\Downloads\procexp64.exe+a8288|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953070Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:33.021{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-338D-6307-0200-000000007602}320C:\Windows\System32\smss.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5d64|C:\Windows\System32\KERNELBASE.dll+25803|C:\Windows\System32\KERNEL32.DLL+169c0|C:\Users\Administrator\Downloads\procexp64.exe+a8288|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953069Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:33.021{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-338D-6307-0100-000000007602}4System0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5d64|C:\Windows\System32\KERNELBASE.dll+25803|C:\Windows\System32\KERNEL32.DLL+169c0|C:\Users\Administrator\Downloads\procexp64.exe+a8288|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000663234Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-25 10:59:34.724{F6DB49F2-5616-6307-CF04-000000007702}2016C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000663233Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-25 10:59:34.724{F6DB49F2-5616-6307-CF04-000000007702}2016C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000663232Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-25 10:59:34.724{F6DB49F2-5616-6307-CF04-000000007702}2016C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 23542300x8000000000000000663231Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-25 10:59:34.615{F6DB49F2-33A2-6307-6D00-000000007702}3760NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1CC3B0189ACB0019B57B92F54F906A57,SHA256=757C1AA210BB445DFA62BD90E2804EAE480615B2D03198E9F93B4225CD59DBB3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000663230Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-25 10:59:34.522{F6DB49F2-3B66-6307-9E01-000000007702}44724560C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-5616-6307-CF04-000000007702}2016C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000134DC190) 10341000x8000000000000000663229Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-25 10:59:34.522{F6DB49F2-3B66-6307-9E01-000000007702}44724560C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-5616-6307-CF04-000000007702}2016C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000134DC190) 10341000x8000000000000000663228Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-25 10:59:34.522{F6DB49F2-3B66-6307-9E01-000000007702}44724560C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-5616-6307-CF04-000000007702}2016C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000134DC190) 23542300x80000000000000001953326Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:34.203{D25361F1-33B6-6307-7B00-000000007602}2184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CFD0B8761C26FD93009AF1A1DA1A0D80,SHA256=904A81BF107D23E4D6F536AAE4448EDB2014F6028785326C524F69953594BD7D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001953325Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:34.055{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-52AD-6307-E404-000000007602}7476C:\Windows\SYSTEM32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953324Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:34.055{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-4AD7-6307-F503-000000007602}6996C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953323Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:34.055{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-4AD1-6307-F403-000000007602}7488C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953322Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:34.055{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-4AD0-6307-F303-000000007602}9620C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953321Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:34.055{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-4AB4-6307-EB03-000000007602}6088C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953320Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:34.055{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-4A8F-6307-EA03-000000007602}6404C:\Windows\system32\wbem\wmiprvse.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953319Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:34.055{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-49F6-6307-CD03-000000007602}7868C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953318Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:34.055{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-436A-6307-0703-000000007602}6260C:\Program Files\IDA Freeware 8.0\ida64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953317Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:34.055{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-4210-6307-D702-000000007602}7048C:\Windows\System32\win32calc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953316Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:34.055{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-37A5-6307-3901-000000007602}6588C:\Windows\ImmersiveControlPanel\SystemSettings.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953315Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:34.055{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-37A2-6307-3301-000000007602}5680C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953314Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:34.055{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-37A2-6307-3201-000000007602}3700C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953313Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:34.055{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-37A1-6307-3101-000000007602}4360C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953312Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:34.055{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-37A1-6307-3001-000000007602}5144C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953311Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:34.055{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-37A0-6307-2F01-000000007602}4596C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953310Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:34.055{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-361E-6307-FB00-000000007602}6112C:\Users\Administrator\Downloads\Procmon64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953309Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:34.055{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-35FB-6307-F000-000000007602}4288C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953308Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:34.055{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-35FB-6307-EF00-000000007602}4276C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953307Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:34.055{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-35E9-6307-E200-000000007602}5316C:\Program Files\Aurora-Agent\aurora-agent.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953306Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:34.055{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-35E2-6307-E000-000000007602}4860C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953305Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:34.055{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-35E2-6307-DF00-000000007602}4184C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953304Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:34.055{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-35E0-6307-DE00-000000007602}5008C:\Windows\Explorer.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953303Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:34.055{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-35E0-6307-D600-000000007602}4472C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953302Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:34.055{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-35E0-6307-D300-000000007602}4392C:\Windows\System32\rdpclip.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953301Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:34.055{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-35DE-6307-D000-000000007602}3896C:\Windows\system32\dwm.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953300Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:34.055{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-35DD-6307-CE00-000000007602}764C:\Windows\system32\winlogon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953299Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:34.055{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-35DD-6307-CD00-000000007602}1324C:\Windows\system32\csrss.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5d64|C:\Windows\System32\KERNELBASE.dll+25803|C:\Windows\System32\KERNEL32.DLL+169c0|C:\Users\Administrator\Downloads\procexp64.exe+a8288|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953298Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:34.055{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-341E-6307-8900-000000007602}3136C:\Windows\System32\msdtc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953297Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:34.055{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33B6-6307-7B00-000000007602}2184C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953296Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:34.055{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33AF-6307-7100-000000007602}3892C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953295Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:34.055{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A5-6307-4500-000000007602}3548C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953294Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:34.055{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A5-6307-4100-000000007602}3460C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953293Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:34.055{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A4-6307-3A00-000000007602}3188C:\Windows\System32\vds.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953292Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:34.055{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A4-6307-3700-000000007602}3120C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953291Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:34.055{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A3-6307-3100-000000007602}2960C:\Windows\system32\wbem\unsecapp.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953290Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:34.055{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A3-6307-2F00-000000007602}2772C:\Windows\system32\DFSRs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953289Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:34.055{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A3-6307-2E00-000000007602}2764C:\Windows\system32\dfssvc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000663227Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-25 10:59:34.522{F6DB49F2-3B66-6307-9E01-000000007702}44724560C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-5616-6307-CF04-000000007702}2016C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000134DC190) 10341000x8000000000000000663226Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-25 10:59:34.522{F6DB49F2-3B66-6307-9E01-000000007702}44724560C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-5616-6307-CF04-000000007702}2016C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000134DC190) 10341000x8000000000000000663225Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-25 10:59:34.522{F6DB49F2-3B66-6307-9E01-000000007702}44724560C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-5616-6307-CF04-000000007702}2016C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000134DC190) 734700x8000000000000000663224Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-25 10:59:34.477{F6DB49F2-5616-6307-CF04-000000007702}2016C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000663223Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-25 10:59:34.477{F6DB49F2-5616-6307-CF04-000000007702}2016C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000663222Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-25 10:59:34.477{F6DB49F2-5616-6307-CF04-000000007702}2016C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000663221Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-25 10:59:34.477{F6DB49F2-5616-6307-CF04-000000007702}2016C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000663220Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-25 10:59:34.461{F6DB49F2-5616-6307-CF04-000000007702}2016C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000663219Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-25 10:59:34.461{F6DB49F2-5616-6307-CF04-000000007702}2016C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000663218Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-25 10:59:34.461{F6DB49F2-5616-6307-CF04-000000007702}2016C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000663217Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-25 10:59:34.461{F6DB49F2-5616-6307-CF04-000000007702}2016C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000663216Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-25 10:59:34.446{F6DB49F2-5616-6307-CF04-000000007702}2016C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000663215Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-25 10:59:34.446{F6DB49F2-5616-6307-CF04-000000007702}2016C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000663214Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-25 10:59:34.446{F6DB49F2-5616-6307-CF04-000000007702}2016C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000663213Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-25 10:59:34.446{F6DB49F2-5616-6307-CF04-000000007702}2016C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000663212Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-25 10:59:34.446{F6DB49F2-5616-6307-CF04-000000007702}2016C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000663211Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-25 10:59:34.446{F6DB49F2-5616-6307-CF04-000000007702}2016C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\winspool.drv10.0.14393.5192 (rs1_release.220610-1622)Windows Spooler DriverMicrosoft® Windows® Operating SystemMicrosoft Corporationwinspool.drvMD5=B35177BAFC97AEAE651855029064EFD9,SHA256=126CD0C2A881ECB0872E53799662495FB0B763BB94FB3F32E4C67BB1618C9891,IMPHASH=05E3BE6B6949EB358D57BA04AF2EF75AtrueMicrosoft WindowsValid 734700x8000000000000000663210Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-25 10:59:34.446{F6DB49F2-5616-6307-CF04-000000007702}2016C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000663209Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-25 10:59:34.446{F6DB49F2-5616-6307-CF04-000000007702}2016C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000663208Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-25 10:59:34.446{F6DB49F2-5616-6307-CF04-000000007702}2016C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000663207Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-25 10:59:34.446{F6DB49F2-5616-6307-CF04-000000007702}2016C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000663206Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-25 10:59:34.446{F6DB49F2-5616-6307-CF04-000000007702}2016C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000663205Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-25 10:59:34.446{F6DB49F2-5616-6307-CF04-000000007702}2016C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000663204Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-25 10:59:34.446{F6DB49F2-5616-6307-CF04-000000007702}2016C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000663203Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-25 10:59:34.446{F6DB49F2-5616-6307-CF04-000000007702}2016C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000663202Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-25 10:59:34.446{F6DB49F2-5616-6307-CF04-000000007702}2016C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000663201Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-25 10:59:34.446{F6DB49F2-5616-6307-CF04-000000007702}2016C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000663200Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-25 10:59:34.446{F6DB49F2-5616-6307-CF04-000000007702}2016C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000663199Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-25 10:59:34.446{F6DB49F2-5616-6307-CF04-000000007702}2016C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000663198Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-25 10:59:34.446{F6DB49F2-5616-6307-CF04-000000007702}2016C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000663197Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-25 10:59:34.446{F6DB49F2-5616-6307-CF04-000000007702}2016C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000663196Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-25 10:59:34.446{F6DB49F2-5616-6307-CF04-000000007702}2016C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000663195Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-25 10:59:34.446{F6DB49F2-5616-6307-CF04-000000007702}2016C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000663194Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-25 10:59:34.446{F6DB49F2-5616-6307-CF04-000000007702}2016C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000663193Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-25 10:59:34.446{F6DB49F2-5616-6307-CF04-000000007702}2016C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 734700x8000000000000000663192Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-25 10:59:34.446{F6DB49F2-5616-6307-CF04-000000007702}2016C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000663191Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-25 10:59:34.446{F6DB49F2-5616-6307-CF04-000000007702}2016C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000663190Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-25 10:59:34.446{F6DB49F2-5616-6307-CF04-000000007702}2016C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000663189Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-25 10:59:34.446{F6DB49F2-5616-6307-CF04-000000007702}2016C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 10341000x8000000000000000663188Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-25 10:59:34.446{F6DB49F2-3391-6307-2B00-000000007702}28802900C:\Windows\system32\conhost.exe{F6DB49F2-5616-6307-CF04-000000007702}2016C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000663187Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-25 10:59:34.446{F6DB49F2-5616-6307-CF04-000000007702}2016C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000663186Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-25 10:59:34.446{F6DB49F2-5616-6307-CF04-000000007702}2016C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 10341000x8000000000000000663185Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-25 10:59:34.446{F6DB49F2-338F-6307-0C00-000000007702}7284948C:\Windows\system32\svchost.exe{F6DB49F2-3390-6307-1F00-000000007702}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000663184Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-25 10:59:34.446{F6DB49F2-338F-6307-0C00-000000007702}7284948C:\Windows\system32\svchost.exe{F6DB49F2-3390-6307-1F00-000000007702}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000663183Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-25 10:59:34.446{F6DB49F2-5616-6307-CF04-000000007702}2016C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 10341000x8000000000000000663182Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-25 10:59:34.446{F6DB49F2-338F-6307-0C00-000000007702}7284948C:\Windows\system32\svchost.exe{F6DB49F2-3390-6307-1F00-000000007702}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000663181Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-25 10:59:34.446{F6DB49F2-5616-6307-CF04-000000007702}2016C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exeMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9trueSplunk, Inc.Valid 10341000x8000000000000000663180Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-25 10:59:34.446{F6DB49F2-338F-6307-0C00-000000007702}7284948C:\Windows\system32\svchost.exe{F6DB49F2-3390-6307-1F00-000000007702}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000663179Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-25 10:59:34.446{F6DB49F2-338F-6307-0C00-000000007702}7284948C:\Windows\system32\svchost.exe{F6DB49F2-3390-6307-1F00-000000007702}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000663178Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-25 10:59:34.446{F6DB49F2-338F-6307-0C00-000000007702}7284948C:\Windows\system32\svchost.exe{F6DB49F2-3390-6307-1F00-000000007702}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000663177Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-25 10:59:34.446{F6DB49F2-338F-6307-0C00-000000007702}7284948C:\Windows\system32\svchost.exe{F6DB49F2-3390-6307-1F00-000000007702}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000663176Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-25 10:59:34.446{F6DB49F2-338F-6307-0C00-000000007702}7284948C:\Windows\system32\svchost.exe{F6DB49F2-3390-6307-1F00-000000007702}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000663175Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-25 10:59:34.446{F6DB49F2-338F-6307-0C00-000000007702}7284948C:\Windows\system32\svchost.exe{F6DB49F2-3390-6307-1F00-000000007702}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000663174Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-25 10:59:34.446{F6DB49F2-338F-6307-0500-000000007702}416532C:\Windows\system32\csrss.exe{F6DB49F2-5616-6307-CF04-000000007702}2016C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000663173Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-25 10:59:34.446{F6DB49F2-3390-6307-2100-000000007702}20323172C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F6DB49F2-5616-6307-CF04-000000007702}2016C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000663172Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-25 10:59:34.446{F6DB49F2-5616-6307-CF04-000000007702}2016C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F6DB49F2-338F-6307-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{F6DB49F2-3390-6307-2100-000000007702}2032C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000663171Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-25 10:59:34.368{F6DB49F2-33A2-6307-6D00-000000007702}3760NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DDF9051931819B7783D52637A880A4A4,SHA256=113E0B1B6B98F2A13263ACDE3956C36F96E3A895891A9F547AE30BF6AFB4D858,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001953288Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:34.055{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A3-6307-2D00-000000007602}2752C:\Windows\System32\ismserv.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953287Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:34.055{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A3-6307-2C00-000000007602}2604C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953286Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:34.055{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A3-6307-2B00-000000007602}2596C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953285Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:34.055{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A3-6307-2900-000000007602}2580C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953284Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:34.055{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-52AD-6307-E404-000000007602}7476C:\Windows\SYSTEM32\notepad.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12170|C:\Windows\System32\advapi32.dll+117c5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Users\Administrator\Downloads\procexp64.exe+7915d|C:\Users\Administrator\Downloads\procexp64.exe+a926e|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953283Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:34.055{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-52AD-6307-E404-000000007602}7476C:\Windows\SYSTEM32\notepad.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12170|C:\Windows\System32\advapi32.dll+117c5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Users\Administrator\Downloads\procexp64.exe+7915d|C:\Users\Administrator\Downloads\procexp64.exe+a926e|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953282Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:34.055{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-4AD7-6307-F503-000000007602}6996C:\Program Files\Mozilla Firefox\firefox.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12170|C:\Windows\System32\advapi32.dll+117c5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Users\Administrator\Downloads\procexp64.exe+7915d|C:\Users\Administrator\Downloads\procexp64.exe+a926e|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953281Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:34.055{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-4AD7-6307-F503-000000007602}6996C:\Program Files\Mozilla Firefox\firefox.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12170|C:\Windows\System32\advapi32.dll+117c5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Users\Administrator\Downloads\procexp64.exe+7915d|C:\Users\Administrator\Downloads\procexp64.exe+a926e|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953280Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:34.055{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-4AD1-6307-F403-000000007602}7488C:\Program Files\Mozilla Firefox\firefox.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12170|C:\Windows\System32\advapi32.dll+117c5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Users\Administrator\Downloads\procexp64.exe+7915d|C:\Users\Administrator\Downloads\procexp64.exe+a926e|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953279Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:34.055{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-4AD1-6307-F403-000000007602}7488C:\Program Files\Mozilla Firefox\firefox.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12170|C:\Windows\System32\advapi32.dll+117c5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Users\Administrator\Downloads\procexp64.exe+7915d|C:\Users\Administrator\Downloads\procexp64.exe+a926e|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953278Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:34.055{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-4AD0-6307-F303-000000007602}9620C:\Program Files\Mozilla Firefox\firefox.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12170|C:\Windows\System32\advapi32.dll+117c5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Users\Administrator\Downloads\procexp64.exe+7915d|C:\Users\Administrator\Downloads\procexp64.exe+a926e|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953277Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:34.055{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-4AD0-6307-F303-000000007602}9620C:\Program Files\Mozilla Firefox\firefox.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12170|C:\Windows\System32\advapi32.dll+117c5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Users\Administrator\Downloads\procexp64.exe+7915d|C:\Users\Administrator\Downloads\procexp64.exe+a926e|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953276Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:34.055{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-4AB4-6307-EB03-000000007602}6088C:\Program Files\Mozilla Firefox\firefox.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12170|C:\Windows\System32\advapi32.dll+117c5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Users\Administrator\Downloads\procexp64.exe+7915d|C:\Users\Administrator\Downloads\procexp64.exe+a926e|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953275Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:34.055{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-4AB4-6307-EB03-000000007602}6088C:\Program Files\Mozilla Firefox\firefox.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12170|C:\Windows\System32\advapi32.dll+117c5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Users\Administrator\Downloads\procexp64.exe+7915d|C:\Users\Administrator\Downloads\procexp64.exe+a926e|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953274Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:34.055{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-4A8F-6307-EA03-000000007602}6404C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12170|C:\Windows\System32\advapi32.dll+117c5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Users\Administrator\Downloads\procexp64.exe+7915d|C:\Users\Administrator\Downloads\procexp64.exe+a926e|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953273Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:34.055{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-4A8F-6307-EA03-000000007602}6404C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12170|C:\Windows\System32\advapi32.dll+117c5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Users\Administrator\Downloads\procexp64.exe+7915d|C:\Users\Administrator\Downloads\procexp64.exe+a926e|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953272Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:34.055{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-49F6-6307-CD03-000000007602}7868C:\Program Files\Mozilla Firefox\firefox.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12170|C:\Windows\System32\advapi32.dll+117c5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Users\Administrator\Downloads\procexp64.exe+7915d|C:\Users\Administrator\Downloads\procexp64.exe+a926e|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953271Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:34.055{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-49F6-6307-CD03-000000007602}7868C:\Program Files\Mozilla Firefox\firefox.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12170|C:\Windows\System32\advapi32.dll+117c5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Users\Administrator\Downloads\procexp64.exe+7915d|C:\Users\Administrator\Downloads\procexp64.exe+a926e|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953270Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:34.055{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-436A-6307-0703-000000007602}6260C:\Program Files\IDA Freeware 8.0\ida64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12170|C:\Windows\System32\advapi32.dll+117c5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Users\Administrator\Downloads\procexp64.exe+7915d|C:\Users\Administrator\Downloads\procexp64.exe+a926e|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953269Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:34.055{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-436A-6307-0703-000000007602}6260C:\Program Files\IDA Freeware 8.0\ida64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12170|C:\Windows\System32\advapi32.dll+117c5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Users\Administrator\Downloads\procexp64.exe+7915d|C:\Users\Administrator\Downloads\procexp64.exe+a926e|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953268Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:34.055{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-4210-6307-D702-000000007602}7048C:\Windows\System32\win32calc.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12170|C:\Windows\System32\advapi32.dll+117c5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Users\Administrator\Downloads\procexp64.exe+7915d|C:\Users\Administrator\Downloads\procexp64.exe+a926e|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953267Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:34.055{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-4210-6307-D702-000000007602}7048C:\Windows\System32\win32calc.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12170|C:\Windows\System32\advapi32.dll+117c5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Users\Administrator\Downloads\procexp64.exe+7915d|C:\Users\Administrator\Downloads\procexp64.exe+a926e|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953266Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:34.055{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-37A5-6307-3901-000000007602}6588C:\Windows\ImmersiveControlPanel\SystemSettings.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12170|C:\Windows\System32\advapi32.dll+117c5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Users\Administrator\Downloads\procexp64.exe+7915d|C:\Users\Administrator\Downloads\procexp64.exe+a926e|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953265Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:34.055{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-37A5-6307-3901-000000007602}6588C:\Windows\ImmersiveControlPanel\SystemSettings.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12170|C:\Windows\System32\advapi32.dll+117c5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Users\Administrator\Downloads\procexp64.exe+7915d|C:\Users\Administrator\Downloads\procexp64.exe+a926e|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953264Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:34.055{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-37A2-6307-3301-000000007602}5680C:\Program Files\Mozilla Firefox\firefox.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12170|C:\Windows\System32\advapi32.dll+117c5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Users\Administrator\Downloads\procexp64.exe+7915d|C:\Users\Administrator\Downloads\procexp64.exe+a926e|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953263Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:34.055{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-37A2-6307-3301-000000007602}5680C:\Program Files\Mozilla Firefox\firefox.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12170|C:\Windows\System32\advapi32.dll+117c5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Users\Administrator\Downloads\procexp64.exe+7915d|C:\Users\Administrator\Downloads\procexp64.exe+a926e|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953262Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:34.055{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-37A2-6307-3201-000000007602}3700C:\Program Files\Mozilla Firefox\firefox.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12170|C:\Windows\System32\advapi32.dll+117c5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Users\Administrator\Downloads\procexp64.exe+7915d|C:\Users\Administrator\Downloads\procexp64.exe+a926e|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953261Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:34.055{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-37A2-6307-3201-000000007602}3700C:\Program Files\Mozilla Firefox\firefox.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12170|C:\Windows\System32\advapi32.dll+117c5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Users\Administrator\Downloads\procexp64.exe+7915d|C:\Users\Administrator\Downloads\procexp64.exe+a926e|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953260Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:34.055{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-37A1-6307-3101-000000007602}4360C:\Program Files\Mozilla Firefox\firefox.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12170|C:\Windows\System32\advapi32.dll+117c5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Users\Administrator\Downloads\procexp64.exe+7915d|C:\Users\Administrator\Downloads\procexp64.exe+a926e|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953259Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:34.055{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-37A1-6307-3101-000000007602}4360C:\Program Files\Mozilla Firefox\firefox.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12170|C:\Windows\System32\advapi32.dll+117c5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Users\Administrator\Downloads\procexp64.exe+7915d|C:\Users\Administrator\Downloads\procexp64.exe+a926e|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953258Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:34.055{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-37A1-6307-3001-000000007602}5144C:\Program Files\Mozilla Firefox\firefox.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12170|C:\Windows\System32\advapi32.dll+117c5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Users\Administrator\Downloads\procexp64.exe+7915d|C:\Users\Administrator\Downloads\procexp64.exe+a926e|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953257Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:34.055{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-37A1-6307-3001-000000007602}5144C:\Program Files\Mozilla Firefox\firefox.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12170|C:\Windows\System32\advapi32.dll+117c5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Users\Administrator\Downloads\procexp64.exe+7915d|C:\Users\Administrator\Downloads\procexp64.exe+a926e|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953256Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:34.055{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-37A0-6307-2F01-000000007602}4596C:\Program Files\Mozilla Firefox\firefox.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12170|C:\Windows\System32\advapi32.dll+117c5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Users\Administrator\Downloads\procexp64.exe+7915d|C:\Users\Administrator\Downloads\procexp64.exe+a926e|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953255Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:34.055{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-37A0-6307-2F01-000000007602}4596C:\Program Files\Mozilla Firefox\firefox.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12170|C:\Windows\System32\advapi32.dll+117c5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Users\Administrator\Downloads\procexp64.exe+7915d|C:\Users\Administrator\Downloads\procexp64.exe+a926e|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953254Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:34.055{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-361E-6307-FB00-000000007602}6112C:\Users\Administrator\Downloads\Procmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12170|C:\Windows\System32\advapi32.dll+117c5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Users\Administrator\Downloads\procexp64.exe+7915d|C:\Users\Administrator\Downloads\procexp64.exe+a926e|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953253Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:34.055{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-361E-6307-FB00-000000007602}6112C:\Users\Administrator\Downloads\Procmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12170|C:\Windows\System32\advapi32.dll+117c5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Users\Administrator\Downloads\procexp64.exe+7915d|C:\Users\Administrator\Downloads\procexp64.exe+a926e|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953252Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:34.055{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-35FB-6307-F000-000000007602}4288C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12170|C:\Windows\System32\advapi32.dll+117c5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Users\Administrator\Downloads\procexp64.exe+7915d|C:\Users\Administrator\Downloads\procexp64.exe+a926e|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953251Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:34.055{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-35FB-6307-F000-000000007602}4288C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12170|C:\Windows\System32\advapi32.dll+117c5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Users\Administrator\Downloads\procexp64.exe+7915d|C:\Users\Administrator\Downloads\procexp64.exe+a926e|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953250Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:34.055{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-35FB-6307-EF00-000000007602}4276C:\Windows\system32\cmd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12170|C:\Windows\System32\advapi32.dll+117c5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Users\Administrator\Downloads\procexp64.exe+7915d|C:\Users\Administrator\Downloads\procexp64.exe+a926e|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953249Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:34.055{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-35FB-6307-EF00-000000007602}4276C:\Windows\system32\cmd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12170|C:\Windows\System32\advapi32.dll+117c5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Users\Administrator\Downloads\procexp64.exe+7915d|C:\Users\Administrator\Downloads\procexp64.exe+a926e|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953248Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:34.055{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-35E9-6307-E200-000000007602}5316C:\Program Files\Aurora-Agent\aurora-agent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12170|C:\Windows\System32\advapi32.dll+117c5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Users\Administrator\Downloads\procexp64.exe+7915d|C:\Users\Administrator\Downloads\procexp64.exe+a926e|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953247Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:34.055{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-35E9-6307-E200-000000007602}5316C:\Program Files\Aurora-Agent\aurora-agent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12170|C:\Windows\System32\advapi32.dll+117c5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Users\Administrator\Downloads\procexp64.exe+7915d|C:\Users\Administrator\Downloads\procexp64.exe+a926e|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953246Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:34.055{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-35E2-6307-E000-000000007602}4860C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12170|C:\Windows\System32\advapi32.dll+117c5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Users\Administrator\Downloads\procexp64.exe+7915d|C:\Users\Administrator\Downloads\procexp64.exe+a926e|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953245Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:34.055{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-35E2-6307-E000-000000007602}4860C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12170|C:\Windows\System32\advapi32.dll+117c5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Users\Administrator\Downloads\procexp64.exe+7915d|C:\Users\Administrator\Downloads\procexp64.exe+a926e|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953244Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:34.055{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-35E2-6307-DF00-000000007602}4184C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12170|C:\Windows\System32\advapi32.dll+117c5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Users\Administrator\Downloads\procexp64.exe+7915d|C:\Users\Administrator\Downloads\procexp64.exe+a926e|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953243Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:34.055{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-35E2-6307-DF00-000000007602}4184C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12170|C:\Windows\System32\advapi32.dll+117c5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Users\Administrator\Downloads\procexp64.exe+7915d|C:\Users\Administrator\Downloads\procexp64.exe+a926e|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953242Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:34.055{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-35E0-6307-DE00-000000007602}5008C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12170|C:\Windows\System32\advapi32.dll+117c5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Users\Administrator\Downloads\procexp64.exe+7915d|C:\Users\Administrator\Downloads\procexp64.exe+a926e|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953241Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:34.055{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-35E0-6307-DE00-000000007602}5008C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12170|C:\Windows\System32\advapi32.dll+117c5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Users\Administrator\Downloads\procexp64.exe+7915d|C:\Users\Administrator\Downloads\procexp64.exe+a926e|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953240Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:34.055{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-35E0-6307-D600-000000007602}4472C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12170|C:\Windows\System32\advapi32.dll+117c5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Users\Administrator\Downloads\procexp64.exe+7915d|C:\Users\Administrator\Downloads\procexp64.exe+a926e|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953239Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:34.055{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-35E0-6307-D600-000000007602}4472C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12170|C:\Windows\System32\advapi32.dll+117c5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Users\Administrator\Downloads\procexp64.exe+7915d|C:\Users\Administrator\Downloads\procexp64.exe+a926e|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953238Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:34.040{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-35E0-6307-D300-000000007602}4392C:\Windows\System32\rdpclip.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12170|C:\Windows\System32\advapi32.dll+117c5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Users\Administrator\Downloads\procexp64.exe+7915d|C:\Users\Administrator\Downloads\procexp64.exe+a926e|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953237Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:34.040{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-35E0-6307-D300-000000007602}4392C:\Windows\System32\rdpclip.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12170|C:\Windows\System32\advapi32.dll+117c5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Users\Administrator\Downloads\procexp64.exe+7915d|C:\Users\Administrator\Downloads\procexp64.exe+a926e|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953236Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:34.040{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-35DE-6307-D000-000000007602}3896C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12170|C:\Windows\System32\advapi32.dll+117c5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Users\Administrator\Downloads\procexp64.exe+7915d|C:\Users\Administrator\Downloads\procexp64.exe+a926e|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953235Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:34.040{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-35DE-6307-D000-000000007602}3896C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12170|C:\Windows\System32\advapi32.dll+117c5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Users\Administrator\Downloads\procexp64.exe+7915d|C:\Users\Administrator\Downloads\procexp64.exe+a926e|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953234Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:34.040{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-35DD-6307-CE00-000000007602}764C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12170|C:\Windows\System32\advapi32.dll+117c5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Users\Administrator\Downloads\procexp64.exe+7915d|C:\Users\Administrator\Downloads\procexp64.exe+a926e|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953233Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:34.040{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-35DD-6307-CE00-000000007602}764C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12170|C:\Windows\System32\advapi32.dll+117c5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Users\Administrator\Downloads\procexp64.exe+7915d|C:\Users\Administrator\Downloads\procexp64.exe+a926e|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953232Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:34.040{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-341E-6307-8900-000000007602}3136C:\Windows\System32\msdtc.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12170|C:\Windows\System32\advapi32.dll+117c5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Users\Administrator\Downloads\procexp64.exe+7915d|C:\Users\Administrator\Downloads\procexp64.exe+a926e|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953231Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:34.040{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-341E-6307-8900-000000007602}3136C:\Windows\System32\msdtc.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12170|C:\Windows\System32\advapi32.dll+117c5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Users\Administrator\Downloads\procexp64.exe+7915d|C:\Users\Administrator\Downloads\procexp64.exe+a926e|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953230Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:34.040{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33B6-6307-7B00-000000007602}2184C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12170|C:\Windows\System32\advapi32.dll+117c5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Users\Administrator\Downloads\procexp64.exe+7915d|C:\Users\Administrator\Downloads\procexp64.exe+a926e|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953229Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:34.040{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33B6-6307-7B00-000000007602}2184C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12170|C:\Windows\System32\advapi32.dll+117c5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Users\Administrator\Downloads\procexp64.exe+7915d|C:\Users\Administrator\Downloads\procexp64.exe+a926e|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953228Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:34.040{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33AF-6307-7100-000000007602}3892C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12170|C:\Windows\System32\advapi32.dll+117c5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Users\Administrator\Downloads\procexp64.exe+7915d|C:\Users\Administrator\Downloads\procexp64.exe+a926e|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953227Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:34.040{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33AF-6307-7100-000000007602}3892C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12170|C:\Windows\System32\advapi32.dll+117c5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Users\Administrator\Downloads\procexp64.exe+7915d|C:\Users\Administrator\Downloads\procexp64.exe+a926e|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953226Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:34.040{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A5-6307-4500-000000007602}3548C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12170|C:\Windows\System32\advapi32.dll+117c5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Users\Administrator\Downloads\procexp64.exe+7915d|C:\Users\Administrator\Downloads\procexp64.exe+a926e|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953225Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:34.040{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A5-6307-4500-000000007602}3548C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12170|C:\Windows\System32\advapi32.dll+117c5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Users\Administrator\Downloads\procexp64.exe+7915d|C:\Users\Administrator\Downloads\procexp64.exe+a926e|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953224Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:34.040{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A5-6307-4100-000000007602}3460C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12170|C:\Windows\System32\advapi32.dll+117c5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Users\Administrator\Downloads\procexp64.exe+7915d|C:\Users\Administrator\Downloads\procexp64.exe+a926e|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953223Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:34.040{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A5-6307-4100-000000007602}3460C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12170|C:\Windows\System32\advapi32.dll+117c5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Users\Administrator\Downloads\procexp64.exe+7915d|C:\Users\Administrator\Downloads\procexp64.exe+a926e|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953222Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:34.040{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A4-6307-3A00-000000007602}3188C:\Windows\System32\vds.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12170|C:\Windows\System32\advapi32.dll+117c5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Users\Administrator\Downloads\procexp64.exe+7915d|C:\Users\Administrator\Downloads\procexp64.exe+a926e|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953221Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:34.040{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A4-6307-3A00-000000007602}3188C:\Windows\System32\vds.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12170|C:\Windows\System32\advapi32.dll+117c5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Users\Administrator\Downloads\procexp64.exe+7915d|C:\Users\Administrator\Downloads\procexp64.exe+a926e|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953220Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:34.040{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A4-6307-3700-000000007602}3120C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12170|C:\Windows\System32\advapi32.dll+117c5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Users\Administrator\Downloads\procexp64.exe+7915d|C:\Users\Administrator\Downloads\procexp64.exe+a926e|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953219Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:34.040{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A4-6307-3700-000000007602}3120C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12170|C:\Windows\System32\advapi32.dll+117c5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Users\Administrator\Downloads\procexp64.exe+7915d|C:\Users\Administrator\Downloads\procexp64.exe+a926e|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953218Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:34.040{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A3-6307-3100-000000007602}2960C:\Windows\system32\wbem\unsecapp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12170|C:\Windows\System32\advapi32.dll+117c5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Users\Administrator\Downloads\procexp64.exe+7915d|C:\Users\Administrator\Downloads\procexp64.exe+a926e|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953217Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:34.040{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A3-6307-3100-000000007602}2960C:\Windows\system32\wbem\unsecapp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12170|C:\Windows\System32\advapi32.dll+117c5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Users\Administrator\Downloads\procexp64.exe+7915d|C:\Users\Administrator\Downloads\procexp64.exe+a926e|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953216Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:34.040{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A3-6307-2F00-000000007602}2772C:\Windows\system32\DFSRs.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12170|C:\Windows\System32\advapi32.dll+117c5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Users\Administrator\Downloads\procexp64.exe+7915d|C:\Users\Administrator\Downloads\procexp64.exe+a926e|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953215Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:34.040{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A3-6307-2F00-000000007602}2772C:\Windows\system32\DFSRs.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12170|C:\Windows\System32\advapi32.dll+117c5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Users\Administrator\Downloads\procexp64.exe+7915d|C:\Users\Administrator\Downloads\procexp64.exe+a926e|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953214Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:34.040{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A3-6307-2E00-000000007602}2764C:\Windows\system32\dfssvc.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12170|C:\Windows\System32\advapi32.dll+117c5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Users\Administrator\Downloads\procexp64.exe+7915d|C:\Users\Administrator\Downloads\procexp64.exe+a926e|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953213Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:34.040{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A3-6307-2E00-000000007602}2764C:\Windows\system32\dfssvc.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12170|C:\Windows\System32\advapi32.dll+117c5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Users\Administrator\Downloads\procexp64.exe+7915d|C:\Users\Administrator\Downloads\procexp64.exe+a926e|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953212Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:34.040{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A3-6307-2D00-000000007602}2752C:\Windows\System32\ismserv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12170|C:\Windows\System32\advapi32.dll+117c5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Users\Administrator\Downloads\procexp64.exe+7915d|C:\Users\Administrator\Downloads\procexp64.exe+a926e|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953211Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:34.040{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A3-6307-2D00-000000007602}2752C:\Windows\System32\ismserv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12170|C:\Windows\System32\advapi32.dll+117c5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Users\Administrator\Downloads\procexp64.exe+7915d|C:\Users\Administrator\Downloads\procexp64.exe+a926e|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953210Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:34.040{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A3-6307-2C00-000000007602}2604C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12170|C:\Windows\System32\advapi32.dll+117c5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Users\Administrator\Downloads\procexp64.exe+7915d|C:\Users\Administrator\Downloads\procexp64.exe+a926e|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953209Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:34.040{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A3-6307-2C00-000000007602}2604C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12170|C:\Windows\System32\advapi32.dll+117c5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Users\Administrator\Downloads\procexp64.exe+7915d|C:\Users\Administrator\Downloads\procexp64.exe+a926e|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953208Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:34.040{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A3-6307-2B00-000000007602}2596C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12170|C:\Windows\System32\advapi32.dll+117c5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Users\Administrator\Downloads\procexp64.exe+7915d|C:\Users\Administrator\Downloads\procexp64.exe+a926e|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953207Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:34.040{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A3-6307-2B00-000000007602}2596C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12170|C:\Windows\System32\advapi32.dll+117c5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Users\Administrator\Downloads\procexp64.exe+7915d|C:\Users\Administrator\Downloads\procexp64.exe+a926e|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953206Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:34.040{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A3-6307-2900-000000007602}2580C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12170|C:\Windows\System32\advapi32.dll+117c5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Users\Administrator\Downloads\procexp64.exe+7915d|C:\Users\Administrator\Downloads\procexp64.exe+a926e|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953205Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:34.040{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A3-6307-2900-000000007602}2580C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12170|C:\Windows\System32\advapi32.dll+117c5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Users\Administrator\Downloads\procexp64.exe+7915d|C:\Users\Administrator\Downloads\procexp64.exe+a926e|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953204Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:34.040{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A3-6307-2800-000000007602}2568C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12170|C:\Windows\System32\advapi32.dll+117c5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Users\Administrator\Downloads\procexp64.exe+7915d|C:\Users\Administrator\Downloads\procexp64.exe+a926e|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953203Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:34.040{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A3-6307-2800-000000007602}2568C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12170|C:\Windows\System32\advapi32.dll+117c5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Users\Administrator\Downloads\procexp64.exe+7915d|C:\Users\Administrator\Downloads\procexp64.exe+a926e|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953202Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:34.040{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A3-6307-2700-000000007602}2560C:\Windows\system32\dns.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12170|C:\Windows\System32\advapi32.dll+117c5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Users\Administrator\Downloads\procexp64.exe+7915d|C:\Users\Administrator\Downloads\procexp64.exe+a926e|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953201Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:34.040{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A3-6307-2700-000000007602}2560C:\Windows\system32\dns.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12170|C:\Windows\System32\advapi32.dll+117c5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Users\Administrator\Downloads\procexp64.exe+7915d|C:\Users\Administrator\Downloads\procexp64.exe+a926e|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953200Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:34.040{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A3-6307-2600-000000007602}2552C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12170|C:\Windows\System32\advapi32.dll+117c5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Users\Administrator\Downloads\procexp64.exe+7915d|C:\Users\Administrator\Downloads\procexp64.exe+a926e|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953199Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:34.040{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A3-6307-2600-000000007602}2552C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12170|C:\Windows\System32\advapi32.dll+117c5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Users\Administrator\Downloads\procexp64.exe+7915d|C:\Users\Administrator\Downloads\procexp64.exe+a926e|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953198Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:34.040{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A3-6307-2500-000000007602}2476C:\Windows\System32\spoolsv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12170|C:\Windows\System32\advapi32.dll+117c5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Users\Administrator\Downloads\procexp64.exe+7915d|C:\Users\Administrator\Downloads\procexp64.exe+a926e|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953197Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:34.040{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A3-6307-2500-000000007602}2476C:\Windows\System32\spoolsv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12170|C:\Windows\System32\advapi32.dll+117c5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Users\Administrator\Downloads\procexp64.exe+7915d|C:\Users\Administrator\Downloads\procexp64.exe+a926e|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953196Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:34.040{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-339C-6307-2300-000000007602}2332C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12170|C:\Windows\System32\advapi32.dll+117c5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Users\Administrator\Downloads\procexp64.exe+7915d|C:\Users\Administrator\Downloads\procexp64.exe+a926e|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953195Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:34.040{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-339C-6307-2300-000000007602}2332C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12170|C:\Windows\System32\advapi32.dll+117c5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Users\Administrator\Downloads\procexp64.exe+7915d|C:\Users\Administrator\Downloads\procexp64.exe+a926e|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953194Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:34.040{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3393-6307-1D00-000000007602}2088C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12170|C:\Windows\System32\advapi32.dll+117c5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Users\Administrator\Downloads\procexp64.exe+7915d|C:\Users\Administrator\Downloads\procexp64.exe+a926e|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953193Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:34.040{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3393-6307-1D00-000000007602}2088C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12170|C:\Windows\System32\advapi32.dll+117c5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Users\Administrator\Downloads\procexp64.exe+7915d|C:\Users\Administrator\Downloads\procexp64.exe+a926e|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953192Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:34.040{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3393-6307-1700-000000007602}1396C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12170|C:\Windows\System32\advapi32.dll+117c5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Users\Administrator\Downloads\procexp64.exe+7915d|C:\Users\Administrator\Downloads\procexp64.exe+a926e|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953191Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:34.040{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3393-6307-1700-000000007602}1396C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12170|C:\Windows\System32\advapi32.dll+117c5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Users\Administrator\Downloads\procexp64.exe+7915d|C:\Users\Administrator\Downloads\procexp64.exe+a926e|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953190Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:34.040{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3393-6307-1600-000000007602}1308C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12170|C:\Windows\System32\advapi32.dll+117c5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Users\Administrator\Downloads\procexp64.exe+7915d|C:\Users\Administrator\Downloads\procexp64.exe+a926e|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953189Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:34.040{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3393-6307-1600-000000007602}1308C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12170|C:\Windows\System32\advapi32.dll+117c5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Users\Administrator\Downloads\procexp64.exe+7915d|C:\Users\Administrator\Downloads\procexp64.exe+a926e|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953188Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:34.040{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3392-6307-1500-000000007602}1256C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12170|C:\Windows\System32\advapi32.dll+117c5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Users\Administrator\Downloads\procexp64.exe+7915d|C:\Users\Administrator\Downloads\procexp64.exe+a926e|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953187Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:34.040{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3392-6307-1500-000000007602}1256C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12170|C:\Windows\System32\advapi32.dll+117c5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Users\Administrator\Downloads\procexp64.exe+7915d|C:\Users\Administrator\Downloads\procexp64.exe+a926e|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953186Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:34.040{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3392-6307-1400-000000007602}1084C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12170|C:\Windows\System32\advapi32.dll+117c5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Users\Administrator\Downloads\procexp64.exe+7915d|C:\Users\Administrator\Downloads\procexp64.exe+a926e|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953185Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:34.040{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3392-6307-1400-000000007602}1084C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12170|C:\Windows\System32\advapi32.dll+117c5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Users\Administrator\Downloads\procexp64.exe+7915d|C:\Users\Administrator\Downloads\procexp64.exe+a926e|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953184Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:34.040{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3392-6307-1300-000000007602}928C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12170|C:\Windows\System32\advapi32.dll+117c5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Users\Administrator\Downloads\procexp64.exe+7915d|C:\Users\Administrator\Downloads\procexp64.exe+a926e|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953183Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:34.040{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3392-6307-1300-000000007602}928C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12170|C:\Windows\System32\advapi32.dll+117c5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Users\Administrator\Downloads\procexp64.exe+7915d|C:\Users\Administrator\Downloads\procexp64.exe+a926e|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953182Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:34.040{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3392-6307-1200-000000007602}484C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12170|C:\Windows\System32\advapi32.dll+117c5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Users\Administrator\Downloads\procexp64.exe+7915d|C:\Users\Administrator\Downloads\procexp64.exe+a926e|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953181Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:34.040{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3392-6307-1200-000000007602}484C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12170|C:\Windows\System32\advapi32.dll+117c5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Users\Administrator\Downloads\procexp64.exe+7915d|C:\Users\Administrator\Downloads\procexp64.exe+a926e|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953180Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:34.040{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3392-6307-1100-000000007602}420C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12170|C:\Windows\System32\advapi32.dll+117c5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Users\Administrator\Downloads\procexp64.exe+7915d|C:\Users\Administrator\Downloads\procexp64.exe+a926e|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953179Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:34.040{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3392-6307-1100-000000007602}420C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12170|C:\Windows\System32\advapi32.dll+117c5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Users\Administrator\Downloads\procexp64.exe+7915d|C:\Users\Administrator\Downloads\procexp64.exe+a926e|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953178Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:34.040{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3392-6307-1000-000000007602}440C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12170|C:\Windows\System32\advapi32.dll+117c5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Users\Administrator\Downloads\procexp64.exe+7915d|C:\Users\Administrator\Downloads\procexp64.exe+a926e|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953177Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:34.040{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3392-6307-1000-000000007602}440C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12170|C:\Windows\System32\advapi32.dll+117c5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Users\Administrator\Downloads\procexp64.exe+7915d|C:\Users\Administrator\Downloads\procexp64.exe+a926e|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953176Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:34.040{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3392-6307-0F00-000000007602}108C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12170|C:\Windows\System32\advapi32.dll+117c5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Users\Administrator\Downloads\procexp64.exe+7915d|C:\Users\Administrator\Downloads\procexp64.exe+a926e|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953175Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:34.040{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3392-6307-0F00-000000007602}108C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12170|C:\Windows\System32\advapi32.dll+117c5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Users\Administrator\Downloads\procexp64.exe+7915d|C:\Users\Administrator\Downloads\procexp64.exe+a926e|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953174Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:34.040{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3392-6307-0E00-000000007602}996C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12170|C:\Windows\System32\advapi32.dll+117c5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Users\Administrator\Downloads\procexp64.exe+7915d|C:\Users\Administrator\Downloads\procexp64.exe+a926e|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953173Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:34.040{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3392-6307-0E00-000000007602}996C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12170|C:\Windows\System32\advapi32.dll+117c5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Users\Administrator\Downloads\procexp64.exe+7915d|C:\Users\Administrator\Downloads\procexp64.exe+a926e|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953172Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:34.040{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3392-6307-0D00-000000007602}892C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12170|C:\Windows\System32\advapi32.dll+117c5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Users\Administrator\Downloads\procexp64.exe+7915d|C:\Users\Administrator\Downloads\procexp64.exe+a926e|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953171Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:34.040{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3392-6307-0D00-000000007602}892C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12170|C:\Windows\System32\advapi32.dll+117c5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Users\Administrator\Downloads\procexp64.exe+7915d|C:\Users\Administrator\Downloads\procexp64.exe+a926e|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953170Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:34.040{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3392-6307-0C00-000000007602}836C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12170|C:\Windows\System32\advapi32.dll+117c5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Users\Administrator\Downloads\procexp64.exe+7915d|C:\Users\Administrator\Downloads\procexp64.exe+a926e|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953169Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:34.040{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3392-6307-0C00-000000007602}836C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12170|C:\Windows\System32\advapi32.dll+117c5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Users\Administrator\Downloads\procexp64.exe+7915d|C:\Users\Administrator\Downloads\procexp64.exe+a926e|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953168Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:34.040{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3390-6307-0B00-000000007602}632C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12170|C:\Windows\System32\advapi32.dll+117c5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Users\Administrator\Downloads\procexp64.exe+7915d|C:\Users\Administrator\Downloads\procexp64.exe+a926e|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953167Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:34.040{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3390-6307-0B00-000000007602}632C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12170|C:\Windows\System32\advapi32.dll+117c5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Users\Administrator\Downloads\procexp64.exe+7915d|C:\Users\Administrator\Downloads\procexp64.exe+a926e|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953166Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:34.040{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3390-6307-0900-000000007602}572C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12170|C:\Windows\System32\advapi32.dll+117c5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Users\Administrator\Downloads\procexp64.exe+7915d|C:\Users\Administrator\Downloads\procexp64.exe+a926e|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953165Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:34.040{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3390-6307-0900-000000007602}572C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12170|C:\Windows\System32\advapi32.dll+117c5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Users\Administrator\Downloads\procexp64.exe+7915d|C:\Users\Administrator\Downloads\procexp64.exe+a926e|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953164Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:34.040{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A3-6307-2800-000000007602}2568C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953163Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:34.040{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A3-6307-2700-000000007602}2560C:\Windows\system32\dns.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953162Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:34.040{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A3-6307-2600-000000007602}2552C:\Windows\sysmon64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953161Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:34.040{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A3-6307-2500-000000007602}2476C:\Windows\System32\spoolsv.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953160Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:34.040{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-339C-6307-2300-000000007602}2332C:\Windows\System32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953159Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:34.040{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3393-6307-1D00-000000007602}2088C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953158Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:34.040{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3393-6307-1700-000000007602}1396C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953157Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:34.040{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3393-6307-1600-000000007602}1308C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953156Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:34.040{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3392-6307-1500-000000007602}1256C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953155Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:34.040{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3392-6307-1400-000000007602}1084C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953154Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:34.040{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3392-6307-1300-000000007602}928C:\Windows\system32\dwm.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953153Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:34.040{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3392-6307-1200-000000007602}484C:\Windows\System32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953152Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:34.040{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3392-6307-1100-000000007602}420C:\Windows\System32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953151Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:34.040{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3392-6307-1000-000000007602}440C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953150Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:34.040{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3392-6307-0F00-000000007602}108C:\Windows\System32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953149Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:34.040{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3392-6307-0E00-000000007602}996C:\Windows\system32\LogonUI.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953148Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:34.040{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3392-6307-0D00-000000007602}892C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953147Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:34.040{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3392-6307-0C00-000000007602}836C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953146Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:34.040{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3390-6307-0B00-000000007602}632C:\Windows\system32\lsass.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953145Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:34.040{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3390-6307-0A00-000000007602}624C:\Windows\system32\services.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5d64|C:\Windows\System32\KERNELBASE.dll+25803|C:\Windows\System32\KERNEL32.DLL+169c0|C:\Users\Administrator\Downloads\procexp64.exe+a8288|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953144Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:34.040{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3390-6307-0900-000000007602}572C:\Windows\system32\winlogon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953143Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:34.040{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3390-6307-0800-000000007602}496C:\Windows\system32\csrss.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5d64|C:\Windows\System32\KERNELBASE.dll+25803|C:\Windows\System32\KERNEL32.DLL+169c0|C:\Users\Administrator\Downloads\procexp64.exe+a8288|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953142Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:34.040{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3390-6307-0700-000000007602}488C:\Windows\system32\wininit.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5d64|C:\Windows\System32\KERNELBASE.dll+25803|C:\Windows\System32\KERNEL32.DLL+169c0|C:\Users\Administrator\Downloads\procexp64.exe+a8288|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953141Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:34.040{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3390-6307-0500-000000007602}416C:\Windows\system32\csrss.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5d64|C:\Windows\System32\KERNELBASE.dll+25803|C:\Windows\System32\KERNEL32.DLL+169c0|C:\Users\Administrator\Downloads\procexp64.exe+a8288|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953140Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:34.040{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-338D-6307-0200-000000007602}320C:\Windows\System32\smss.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5d64|C:\Windows\System32\KERNELBASE.dll+25803|C:\Windows\System32\KERNEL32.DLL+169c0|C:\Users\Administrator\Downloads\procexp64.exe+a8288|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953139Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:34.040{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-338D-6307-0100-000000007602}4System0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5d64|C:\Windows\System32\KERNELBASE.dll+25803|C:\Windows\System32\KERNEL32.DLL+169c0|C:\Users\Administrator\Downloads\procexp64.exe+a8288|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x80000000000000001953138Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:34.024{D25361F1-33B6-6307-7B00-000000007602}2184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4B59CC12DDEBAA2565E18C65F91DFA49,SHA256=45EB87AE609113EF4D445A1D04B8B25CE5358A40CDADFA5247F772A511521D80,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000663236Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-25 10:59:35.584{F6DB49F2-33A2-6307-6D00-000000007702}3760NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F2D0BE88AB5CB4FA3F534795B848A370,SHA256=669E62FB4E7C71AE680E03929E66929BE41E7EBBCCB65A2EB241547CCADB0BE5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000663235Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-25 10:59:35.469{F6DB49F2-33A2-6307-6D00-000000007702}3760NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=44246B6C771CDA68F179F31ACF9DDED7,SHA256=D1973736C717778500A99632B9A9215AC7BF0BB2FB5DB09EF892CFA710BDE1AD,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001953395Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:33.549{D25361F1-3392-6307-0F00-000000007602}108C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse34.223.106.200ec2-34-223-106-200.us-west-2.compute.amazonaws.com55072-false10.0.1.14win-dc-ctus-attack-range-854.attackrange.local3389ms-wbt-server 23542300x80000000000000001953394Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:35.339{D25361F1-33B6-6307-7B00-000000007602}2184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=05F25219BC19AC1CC72D41C9A0BB8A6F,SHA256=F42A9A9E503EB0D104CF06C7C151DD21FE81FC47C7C0457E9735BE0FAB7B8119,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001953393Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:35.086{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-52AD-6307-E404-000000007602}7476C:\Windows\SYSTEM32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953392Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:35.086{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-4AD7-6307-F503-000000007602}6996C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953391Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:35.086{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-4AD1-6307-F403-000000007602}7488C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953390Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:35.086{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-4AD0-6307-F303-000000007602}9620C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953389Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:35.086{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-4AB4-6307-EB03-000000007602}6088C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953388Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:35.086{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-4A8F-6307-EA03-000000007602}6404C:\Windows\system32\wbem\wmiprvse.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953387Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:35.086{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-49F6-6307-CD03-000000007602}7868C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953386Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:35.086{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-436A-6307-0703-000000007602}6260C:\Program Files\IDA Freeware 8.0\ida64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953385Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:35.086{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-4210-6307-D702-000000007602}7048C:\Windows\System32\win32calc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953384Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:35.086{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-37A5-6307-3901-000000007602}6588C:\Windows\ImmersiveControlPanel\SystemSettings.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953383Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:35.086{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-37A2-6307-3301-000000007602}5680C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953382Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:35.086{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-37A2-6307-3201-000000007602}3700C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953381Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:35.086{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-37A1-6307-3101-000000007602}4360C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953380Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:35.086{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-37A1-6307-3001-000000007602}5144C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953379Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:35.086{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-37A0-6307-2F01-000000007602}4596C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953378Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:35.086{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-361E-6307-FB00-000000007602}6112C:\Users\Administrator\Downloads\Procmon64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953377Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:35.086{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-35FB-6307-F000-000000007602}4288C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953376Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:35.086{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-35FB-6307-EF00-000000007602}4276C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953375Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:35.086{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-35E9-6307-E200-000000007602}5316C:\Program Files\Aurora-Agent\aurora-agent.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953374Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:35.086{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-35E2-6307-E000-000000007602}4860C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953373Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:35.086{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-35E2-6307-DF00-000000007602}4184C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953372Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:35.086{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-35E0-6307-DE00-000000007602}5008C:\Windows\Explorer.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953371Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:35.086{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-35E0-6307-D600-000000007602}4472C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953370Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:35.086{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-35E0-6307-D300-000000007602}4392C:\Windows\System32\rdpclip.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953369Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:35.086{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-35DE-6307-D000-000000007602}3896C:\Windows\system32\dwm.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953368Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:35.086{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-35DD-6307-CE00-000000007602}764C:\Windows\system32\winlogon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953367Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:35.086{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-35DD-6307-CD00-000000007602}1324C:\Windows\system32\csrss.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5d64|C:\Windows\System32\KERNELBASE.dll+25803|C:\Windows\System32\KERNEL32.DLL+169c0|C:\Users\Administrator\Downloads\procexp64.exe+a8288|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953366Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:35.086{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-341E-6307-8900-000000007602}3136C:\Windows\System32\msdtc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953365Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:35.086{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33B6-6307-7B00-000000007602}2184C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953364Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:35.086{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33AF-6307-7100-000000007602}3892C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953363Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:35.086{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A5-6307-4500-000000007602}3548C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953362Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:35.086{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A5-6307-4100-000000007602}3460C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953361Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:35.086{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A4-6307-3A00-000000007602}3188C:\Windows\System32\vds.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953360Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:35.086{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A4-6307-3700-000000007602}3120C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953359Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:35.086{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A3-6307-3100-000000007602}2960C:\Windows\system32\wbem\unsecapp.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953358Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:35.086{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A3-6307-2F00-000000007602}2772C:\Windows\system32\DFSRs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953357Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:35.086{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A3-6307-2E00-000000007602}2764C:\Windows\system32\dfssvc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953356Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:35.086{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A3-6307-2D00-000000007602}2752C:\Windows\System32\ismserv.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953355Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:35.086{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A3-6307-2C00-000000007602}2604C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953354Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:35.086{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A3-6307-2B00-000000007602}2596C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953353Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:35.086{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A3-6307-2900-000000007602}2580C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953352Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:35.086{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A3-6307-2800-000000007602}2568C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953351Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:35.086{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A3-6307-2600-000000007602}2552C:\Windows\sysmon64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953350Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:35.086{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A3-6307-2700-000000007602}2560C:\Windows\system32\dns.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953349Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:35.086{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A3-6307-2500-000000007602}2476C:\Windows\System32\spoolsv.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953348Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:35.086{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-339C-6307-2300-000000007602}2332C:\Windows\System32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953347Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:35.086{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3393-6307-1D00-000000007602}2088C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953346Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:35.086{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3393-6307-1700-000000007602}1396C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953345Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:35.086{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3393-6307-1600-000000007602}1308C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953344Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:35.086{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3392-6307-1500-000000007602}1256C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953343Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:35.086{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3392-6307-1400-000000007602}1084C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953342Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:35.086{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3392-6307-1300-000000007602}928C:\Windows\system32\dwm.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953341Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:35.086{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3392-6307-1200-000000007602}484C:\Windows\System32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953340Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:35.086{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3392-6307-1100-000000007602}420C:\Windows\System32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953339Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:35.086{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3392-6307-1000-000000007602}440C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953338Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:35.086{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3392-6307-0F00-000000007602}108C:\Windows\System32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953337Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:35.086{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3392-6307-0E00-000000007602}996C:\Windows\system32\LogonUI.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953336Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:35.086{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3392-6307-0D00-000000007602}892C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953335Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:35.086{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3392-6307-0C00-000000007602}836C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953334Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:35.086{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3390-6307-0B00-000000007602}632C:\Windows\system32\lsass.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953333Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:35.086{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3390-6307-0A00-000000007602}624C:\Windows\system32\services.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5d64|C:\Windows\System32\KERNELBASE.dll+25803|C:\Windows\System32\KERNEL32.DLL+169c0|C:\Users\Administrator\Downloads\procexp64.exe+a8288|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953332Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:35.086{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3390-6307-0900-000000007602}572C:\Windows\system32\winlogon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953331Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:35.086{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3390-6307-0800-000000007602}496C:\Windows\system32\csrss.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5d64|C:\Windows\System32\KERNELBASE.dll+25803|C:\Windows\System32\KERNEL32.DLL+169c0|C:\Users\Administrator\Downloads\procexp64.exe+a8288|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953330Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:35.086{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3390-6307-0700-000000007602}488C:\Windows\system32\wininit.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5d64|C:\Windows\System32\KERNELBASE.dll+25803|C:\Windows\System32\KERNEL32.DLL+169c0|C:\Users\Administrator\Downloads\procexp64.exe+a8288|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953329Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:35.086{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3390-6307-0500-000000007602}416C:\Windows\system32\csrss.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5d64|C:\Windows\System32\KERNELBASE.dll+25803|C:\Windows\System32\KERNEL32.DLL+169c0|C:\Users\Administrator\Downloads\procexp64.exe+a8288|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953328Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:35.086{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-338D-6307-0200-000000007602}320C:\Windows\System32\smss.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5d64|C:\Windows\System32\KERNELBASE.dll+25803|C:\Windows\System32\KERNEL32.DLL+169c0|C:\Users\Administrator\Downloads\procexp64.exe+a8288|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953327Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:35.086{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-338D-6307-0100-000000007602}4System0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5d64|C:\Windows\System32\KERNELBASE.dll+25803|C:\Windows\System32\KERNEL32.DLL+169c0|C:\Users\Administrator\Downloads\procexp64.exe+a8288|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000663238Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-25 10:59:36.569{F6DB49F2-33A2-6307-6D00-000000007702}3760NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2BEB6FB10490831E284F967EC652B7AC,SHA256=D5491DD8B6A883D7D3B4F11641B431A2E4FBD414EC33E0F72BFC4E6CA0CC9C8B,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001953465Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:34.774{D25361F1-33AF-6307-7100-000000007602}3892C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-854.attackrange.local64275-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x80000000000000001953464Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:36.438{D25361F1-33B6-6307-7B00-000000007602}2184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6AA18A761534F61135653D802AB07B89,SHA256=E4333CCA026266803DB2001136AF6BCAC206AE9B61B5AD92FB3C46F540345924,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001953463Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:36.438{D25361F1-33B6-6307-7B00-000000007602}2184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3CD032D5891902E98930F58235254F98,SHA256=465FF12099D009F1B828BAFCE33D23FC5D32B18A92BA6237CE8F62940CCF4FDB,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000663237Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-25 10:59:34.646{F6DB49F2-338F-6307-1000-000000007702}932C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse34.223.106.200ec2-34-223-106-200.us-west-2.compute.amazonaws.com55264-false10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal3389ms-wbt-server 10341000x80000000000000001953462Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:36.101{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-52AD-6307-E404-000000007602}7476C:\Windows\SYSTEM32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953461Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:36.101{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-4AD7-6307-F503-000000007602}6996C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953460Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:36.101{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-4AD1-6307-F403-000000007602}7488C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953459Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:36.101{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-4AD0-6307-F303-000000007602}9620C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953458Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:36.101{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-4AB4-6307-EB03-000000007602}6088C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953457Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:36.101{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-4A8F-6307-EA03-000000007602}6404C:\Windows\system32\wbem\wmiprvse.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953456Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:36.101{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-49F6-6307-CD03-000000007602}7868C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953455Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:36.101{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-436A-6307-0703-000000007602}6260C:\Program Files\IDA Freeware 8.0\ida64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953454Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:36.101{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-4210-6307-D702-000000007602}7048C:\Windows\System32\win32calc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953453Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:36.101{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-37A5-6307-3901-000000007602}6588C:\Windows\ImmersiveControlPanel\SystemSettings.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953452Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:36.101{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-37A2-6307-3301-000000007602}5680C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953451Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:36.101{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-37A2-6307-3201-000000007602}3700C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953450Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:36.101{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-37A1-6307-3101-000000007602}4360C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953449Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:36.101{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-37A1-6307-3001-000000007602}5144C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953448Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:36.101{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-37A0-6307-2F01-000000007602}4596C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953447Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:36.101{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-361E-6307-FB00-000000007602}6112C:\Users\Administrator\Downloads\Procmon64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953446Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:36.101{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-35FB-6307-F000-000000007602}4288C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953445Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:36.101{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-35FB-6307-EF00-000000007602}4276C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953444Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:36.101{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-35E9-6307-E200-000000007602}5316C:\Program Files\Aurora-Agent\aurora-agent.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953443Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:36.101{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-35E2-6307-E000-000000007602}4860C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953442Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:36.101{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-35E0-6307-DE00-000000007602}5008C:\Windows\Explorer.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953441Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:36.101{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-35E2-6307-DF00-000000007602}4184C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953440Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:36.101{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-35E0-6307-D600-000000007602}4472C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953439Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:36.101{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-35E0-6307-D300-000000007602}4392C:\Windows\System32\rdpclip.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953438Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:36.101{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-35DE-6307-D000-000000007602}3896C:\Windows\system32\dwm.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953437Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:36.101{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-35DD-6307-CE00-000000007602}764C:\Windows\system32\winlogon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953436Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:36.101{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-35DD-6307-CD00-000000007602}1324C:\Windows\system32\csrss.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5d64|C:\Windows\System32\KERNELBASE.dll+25803|C:\Windows\System32\KERNEL32.DLL+169c0|C:\Users\Administrator\Downloads\procexp64.exe+a8288|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953435Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:36.101{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-341E-6307-8900-000000007602}3136C:\Windows\System32\msdtc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953434Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:36.101{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33B6-6307-7B00-000000007602}2184C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953433Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:36.101{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33AF-6307-7100-000000007602}3892C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953432Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:36.101{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A5-6307-4500-000000007602}3548C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953431Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:36.101{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A5-6307-4100-000000007602}3460C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953430Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:36.101{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A4-6307-3A00-000000007602}3188C:\Windows\System32\vds.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953429Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:36.101{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A4-6307-3700-000000007602}3120C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953428Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:36.101{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A3-6307-3100-000000007602}2960C:\Windows\system32\wbem\unsecapp.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953427Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:36.101{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A3-6307-2F00-000000007602}2772C:\Windows\system32\DFSRs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953426Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:36.101{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A3-6307-2E00-000000007602}2764C:\Windows\system32\dfssvc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953425Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:36.101{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A3-6307-2D00-000000007602}2752C:\Windows\System32\ismserv.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953424Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:36.101{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A3-6307-2C00-000000007602}2604C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953423Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:36.101{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A3-6307-2B00-000000007602}2596C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953422Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:36.101{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A3-6307-2900-000000007602}2580C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953421Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:36.101{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A3-6307-2800-000000007602}2568C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953420Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:36.101{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A3-6307-2700-000000007602}2560C:\Windows\system32\dns.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953419Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:36.101{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A3-6307-2600-000000007602}2552C:\Windows\sysmon64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953418Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:36.101{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A3-6307-2500-000000007602}2476C:\Windows\System32\spoolsv.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953417Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:36.101{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-339C-6307-2300-000000007602}2332C:\Windows\System32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953416Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:36.101{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3393-6307-1D00-000000007602}2088C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953415Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:36.101{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3393-6307-1700-000000007602}1396C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953414Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:36.101{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3393-6307-1600-000000007602}1308C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953413Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:36.101{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3392-6307-1500-000000007602}1256C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953412Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:36.101{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3392-6307-1400-000000007602}1084C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953411Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:36.101{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3392-6307-1300-000000007602}928C:\Windows\system32\dwm.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953410Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:36.101{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3392-6307-1200-000000007602}484C:\Windows\System32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953409Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:36.101{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3392-6307-1100-000000007602}420C:\Windows\System32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953408Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:36.101{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3392-6307-1000-000000007602}440C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953407Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:36.101{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3392-6307-0F00-000000007602}108C:\Windows\System32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953406Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:36.101{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3392-6307-0E00-000000007602}996C:\Windows\system32\LogonUI.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953405Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:36.101{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3392-6307-0D00-000000007602}892C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953404Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:36.101{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3392-6307-0C00-000000007602}836C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953403Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:36.101{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3390-6307-0B00-000000007602}632C:\Windows\system32\lsass.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953402Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:36.101{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3390-6307-0A00-000000007602}624C:\Windows\system32\services.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5d64|C:\Windows\System32\KERNELBASE.dll+25803|C:\Windows\System32\KERNEL32.DLL+169c0|C:\Users\Administrator\Downloads\procexp64.exe+a8288|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953401Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:36.101{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3390-6307-0900-000000007602}572C:\Windows\system32\winlogon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953400Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:36.101{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3390-6307-0800-000000007602}496C:\Windows\system32\csrss.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5d64|C:\Windows\System32\KERNELBASE.dll+25803|C:\Windows\System32\KERNEL32.DLL+169c0|C:\Users\Administrator\Downloads\procexp64.exe+a8288|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953399Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:36.101{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3390-6307-0700-000000007602}488C:\Windows\system32\wininit.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5d64|C:\Windows\System32\KERNELBASE.dll+25803|C:\Windows\System32\KERNEL32.DLL+169c0|C:\Users\Administrator\Downloads\procexp64.exe+a8288|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953398Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:36.101{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3390-6307-0500-000000007602}416C:\Windows\system32\csrss.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5d64|C:\Windows\System32\KERNELBASE.dll+25803|C:\Windows\System32\KERNEL32.DLL+169c0|C:\Users\Administrator\Downloads\procexp64.exe+a8288|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953397Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:36.101{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-338D-6307-0200-000000007602}320C:\Windows\System32\smss.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5d64|C:\Windows\System32\KERNELBASE.dll+25803|C:\Windows\System32\KERNEL32.DLL+169c0|C:\Users\Administrator\Downloads\procexp64.exe+a8288|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953396Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:36.101{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-338D-6307-0100-000000007602}4System0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5d64|C:\Windows\System32\KERNELBASE.dll+25803|C:\Windows\System32\KERNEL32.DLL+169c0|C:\Users\Administrator\Downloads\procexp64.exe+a8288|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000663239Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-25 10:59:37.645{F6DB49F2-33A2-6307-6D00-000000007702}3760NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=68396592644B74BB1142039F268D9901,SHA256=896D99007409E32CEA09C9A7A6C2424001E061A9DA8E554D5F865AA858108742,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001953534Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:37.557{D25361F1-33B6-6307-7B00-000000007602}2184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A5838E72005DBF2EF4287E9D400BCF1A,SHA256=9A20A50DFDBFDC744552409AA475BB68FE18DFC10031769B7F4FF8975B31CD67,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001953533Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:37.547{D25361F1-33B6-6307-7B00-000000007602}2184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0B8FCB8B7B1AAD47E951873CD0238945,SHA256=0EE03781C3A3CC13E8C54A3F3CA06E6F76803BFDEAB4FE31F01B57DB0D3ACBF5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001953532Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:37.122{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-52AD-6307-E404-000000007602}7476C:\Windows\SYSTEM32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953531Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:37.122{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-4AD7-6307-F503-000000007602}6996C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953530Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:37.122{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-4AD1-6307-F403-000000007602}7488C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953529Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:37.122{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-4AD0-6307-F303-000000007602}9620C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953528Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:37.122{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-4AB4-6307-EB03-000000007602}6088C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953527Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:37.122{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-4A8F-6307-EA03-000000007602}6404C:\Windows\system32\wbem\wmiprvse.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953526Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:37.122{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-49F6-6307-CD03-000000007602}7868C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953525Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:37.122{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-436A-6307-0703-000000007602}6260C:\Program Files\IDA Freeware 8.0\ida64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953524Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:37.122{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-4210-6307-D702-000000007602}7048C:\Windows\System32\win32calc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953523Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:37.122{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-37A5-6307-3901-000000007602}6588C:\Windows\ImmersiveControlPanel\SystemSettings.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953522Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:37.122{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-37A2-6307-3201-000000007602}3700C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953521Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:37.122{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-37A2-6307-3301-000000007602}5680C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953520Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:37.122{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-37A1-6307-3101-000000007602}4360C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953519Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:37.122{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-37A1-6307-3001-000000007602}5144C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953518Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:37.122{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-37A0-6307-2F01-000000007602}4596C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953517Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:37.122{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-361E-6307-FB00-000000007602}6112C:\Users\Administrator\Downloads\Procmon64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953516Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:37.122{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-35FB-6307-F000-000000007602}4288C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953515Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:37.122{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-35FB-6307-EF00-000000007602}4276C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953514Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:37.122{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-35E9-6307-E200-000000007602}5316C:\Program Files\Aurora-Agent\aurora-agent.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953513Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:37.122{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-35E2-6307-E000-000000007602}4860C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953512Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:37.122{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-35E2-6307-DF00-000000007602}4184C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953511Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:37.122{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-35E0-6307-DE00-000000007602}5008C:\Windows\Explorer.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953510Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:37.122{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-35E0-6307-D600-000000007602}4472C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953509Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:37.122{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-35E0-6307-D300-000000007602}4392C:\Windows\System32\rdpclip.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953508Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:37.122{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-35DE-6307-D000-000000007602}3896C:\Windows\system32\dwm.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953507Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:37.122{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-35DD-6307-CE00-000000007602}764C:\Windows\system32\winlogon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953506Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:37.122{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-35DD-6307-CD00-000000007602}1324C:\Windows\system32\csrss.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5d64|C:\Windows\System32\KERNELBASE.dll+25803|C:\Windows\System32\KERNEL32.DLL+169c0|C:\Users\Administrator\Downloads\procexp64.exe+a8288|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953505Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:37.122{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-341E-6307-8900-000000007602}3136C:\Windows\System32\msdtc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953504Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:37.122{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33B6-6307-7B00-000000007602}2184C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953503Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:37.122{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33AF-6307-7100-000000007602}3892C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953502Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:37.122{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A5-6307-4500-000000007602}3548C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953501Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:37.122{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A5-6307-4100-000000007602}3460C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953500Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:37.122{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A4-6307-3A00-000000007602}3188C:\Windows\System32\vds.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953499Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:37.122{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A4-6307-3700-000000007602}3120C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953498Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:37.122{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A3-6307-3100-000000007602}2960C:\Windows\system32\wbem\unsecapp.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953497Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:37.122{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A3-6307-2F00-000000007602}2772C:\Windows\system32\DFSRs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953496Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:37.122{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A3-6307-2E00-000000007602}2764C:\Windows\system32\dfssvc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953495Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:37.122{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A3-6307-2D00-000000007602}2752C:\Windows\System32\ismserv.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953494Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:37.122{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A3-6307-2C00-000000007602}2604C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953493Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:37.122{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A3-6307-2B00-000000007602}2596C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953492Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:37.122{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A3-6307-2900-000000007602}2580C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953491Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:37.121{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A3-6307-2800-000000007602}2568C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953490Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:37.121{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A3-6307-2700-000000007602}2560C:\Windows\system32\dns.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953489Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:37.120{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A3-6307-2500-000000007602}2476C:\Windows\System32\spoolsv.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953488Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:37.121{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A3-6307-2600-000000007602}2552C:\Windows\sysmon64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953487Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:37.120{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-339C-6307-2300-000000007602}2332C:\Windows\System32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953486Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:37.120{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3393-6307-1D00-000000007602}2088C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953485Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:37.120{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3393-6307-1700-000000007602}1396C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953484Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:37.120{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3393-6307-1600-000000007602}1308C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953483Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:37.120{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3392-6307-1500-000000007602}1256C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953482Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:37.120{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3392-6307-1400-000000007602}1084C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953481Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:37.119{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3392-6307-1300-000000007602}928C:\Windows\system32\dwm.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953480Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:37.119{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3392-6307-1200-000000007602}484C:\Windows\System32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953479Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:37.119{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3392-6307-1100-000000007602}420C:\Windows\System32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953478Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:37.119{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3392-6307-1000-000000007602}440C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953477Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:37.119{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3392-6307-0F00-000000007602}108C:\Windows\System32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953476Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:37.119{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3392-6307-0E00-000000007602}996C:\Windows\system32\LogonUI.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953475Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:37.119{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3392-6307-0D00-000000007602}892C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953474Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:37.119{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3392-6307-0C00-000000007602}836C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953473Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:37.118{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3390-6307-0B00-000000007602}632C:\Windows\system32\lsass.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953472Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:37.118{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3390-6307-0A00-000000007602}624C:\Windows\system32\services.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5d64|C:\Windows\System32\KERNELBASE.dll+25803|C:\Windows\System32\KERNEL32.DLL+169c0|C:\Users\Administrator\Downloads\procexp64.exe+a8288|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953471Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:37.118{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3390-6307-0900-000000007602}572C:\Windows\system32\winlogon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953470Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:37.118{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3390-6307-0800-000000007602}496C:\Windows\system32\csrss.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5d64|C:\Windows\System32\KERNELBASE.dll+25803|C:\Windows\System32\KERNEL32.DLL+169c0|C:\Users\Administrator\Downloads\procexp64.exe+a8288|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953469Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:37.118{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3390-6307-0700-000000007602}488C:\Windows\system32\wininit.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5d64|C:\Windows\System32\KERNELBASE.dll+25803|C:\Windows\System32\KERNEL32.DLL+169c0|C:\Users\Administrator\Downloads\procexp64.exe+a8288|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953468Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:37.118{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3390-6307-0500-000000007602}416C:\Windows\system32\csrss.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5d64|C:\Windows\System32\KERNELBASE.dll+25803|C:\Windows\System32\KERNEL32.DLL+169c0|C:\Users\Administrator\Downloads\procexp64.exe+a8288|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953467Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:37.117{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-338D-6307-0200-000000007602}320C:\Windows\System32\smss.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5d64|C:\Windows\System32\KERNELBASE.dll+25803|C:\Windows\System32\KERNEL32.DLL+169c0|C:\Users\Administrator\Downloads\procexp64.exe+a8288|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953466Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:37.117{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-338D-6307-0100-000000007602}4System0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5d64|C:\Windows\System32\KERNELBASE.dll+25803|C:\Windows\System32\KERNEL32.DLL+169c0|C:\Users\Administrator\Downloads\procexp64.exe+a8288|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000663241Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-25 10:59:38.743{F6DB49F2-33A2-6307-6D00-000000007702}3760NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A39F8B2EE857176A928BC9ADAC674A04,SHA256=5A1B63F86B1AD2B6E586ADE5624CDFDF6378EC1E6A90DC86635EE8A67220245C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001953607Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:38.700{D25361F1-33B6-6307-7B00-000000007602}2184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=37EB09B800C80AC1DADBCBD8029DCCEE,SHA256=A353CD2343A167BE2057A84814B618C3B825F0B501CBCFA2FD3D969B93112179,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001953606Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:38.700{D25361F1-33B6-6307-7B00-000000007602}2184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=31E5AD59B6F5C535ED524EFC0FE25709,SHA256=3D2FAF0B90C8E7BE2F101F2F83F016275A3A5667F3658C2C1B8E308BF4C8C9FC,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000663240Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-25 10:59:36.335{F6DB49F2-339B-6307-6200-000000007702}3336C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal51440-false10.0.1.12-8000- 11241100x80000000000000001953605Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:38.321{D25361F1-37A0-6307-2F01-000000007602}4596C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\nzjzgcj5.default-release\SiteSecurityServiceState-1.txt2022-08-25 10:59:38.319 23542300x80000000000000001953604Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:38.321{D25361F1-37A0-6307-2F01-000000007602}4596ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\nzjzgcj5.default-release\SiteSecurityServiceState-1.txtMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000001953603Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:38.319{D25361F1-37A0-6307-2F01-000000007602}4596C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\nzjzgcj5.default-release\SiteSecurityServiceState-1.txt2022-08-25 10:59:38.319 23542300x80000000000000001953602Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:38.184{D25361F1-33B6-6307-7B00-000000007602}2184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6C26EDB04ADDA2D35B828693A3EC85BD,SHA256=09DD27100188858BD51DE508EA1B837DA4BF15550FFBA50119F701440673962B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001953601Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:38.138{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-52AD-6307-E404-000000007602}7476C:\Windows\SYSTEM32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953600Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:38.138{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-4AD7-6307-F503-000000007602}6996C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953599Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:38.138{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-4AD1-6307-F403-000000007602}7488C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953598Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:38.138{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-4AD0-6307-F303-000000007602}9620C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953597Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:38.138{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-4AB4-6307-EB03-000000007602}6088C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953596Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:38.138{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-4A8F-6307-EA03-000000007602}6404C:\Windows\system32\wbem\wmiprvse.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953595Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:38.138{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-49F6-6307-CD03-000000007602}7868C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953594Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:38.138{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-436A-6307-0703-000000007602}6260C:\Program Files\IDA Freeware 8.0\ida64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953593Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:38.138{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-4210-6307-D702-000000007602}7048C:\Windows\System32\win32calc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953592Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:38.138{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-37A5-6307-3901-000000007602}6588C:\Windows\ImmersiveControlPanel\SystemSettings.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953591Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:38.138{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-37A2-6307-3301-000000007602}5680C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953590Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:38.138{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-37A2-6307-3201-000000007602}3700C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953589Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:38.138{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-37A1-6307-3101-000000007602}4360C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953588Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:38.138{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-37A1-6307-3001-000000007602}5144C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953587Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:38.138{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-37A0-6307-2F01-000000007602}4596C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953586Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:38.138{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-361E-6307-FB00-000000007602}6112C:\Users\Administrator\Downloads\Procmon64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953585Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:38.138{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-35FB-6307-F000-000000007602}4288C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953584Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:38.138{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-35FB-6307-EF00-000000007602}4276C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953583Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:38.138{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-35E9-6307-E200-000000007602}5316C:\Program Files\Aurora-Agent\aurora-agent.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953582Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:38.138{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-35E2-6307-E000-000000007602}4860C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953581Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:38.138{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-35E2-6307-DF00-000000007602}4184C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953580Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:38.138{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-35E0-6307-DE00-000000007602}5008C:\Windows\Explorer.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953579Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:38.138{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-35E0-6307-D600-000000007602}4472C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953578Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:38.138{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-35E0-6307-D300-000000007602}4392C:\Windows\System32\rdpclip.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953577Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:38.138{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-35DE-6307-D000-000000007602}3896C:\Windows\system32\dwm.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953576Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:38.138{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-35DD-6307-CE00-000000007602}764C:\Windows\system32\winlogon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953575Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:38.138{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-35DD-6307-CD00-000000007602}1324C:\Windows\system32\csrss.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5d64|C:\Windows\System32\KERNELBASE.dll+25803|C:\Windows\System32\KERNEL32.DLL+169c0|C:\Users\Administrator\Downloads\procexp64.exe+a8288|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953574Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:38.138{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-341E-6307-8900-000000007602}3136C:\Windows\System32\msdtc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953573Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:38.138{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33B6-6307-7B00-000000007602}2184C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953572Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:38.138{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33AF-6307-7100-000000007602}3892C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953571Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:38.138{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A5-6307-4500-000000007602}3548C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953570Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:38.138{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A5-6307-4100-000000007602}3460C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953569Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:38.138{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A4-6307-3A00-000000007602}3188C:\Windows\System32\vds.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953568Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:38.138{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A4-6307-3700-000000007602}3120C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953567Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:38.138{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A3-6307-3100-000000007602}2960C:\Windows\system32\wbem\unsecapp.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953566Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:38.138{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A3-6307-2F00-000000007602}2772C:\Windows\system32\DFSRs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953565Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:38.138{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A3-6307-2E00-000000007602}2764C:\Windows\system32\dfssvc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953564Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:38.138{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A3-6307-2D00-000000007602}2752C:\Windows\System32\ismserv.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953563Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:38.138{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A3-6307-2C00-000000007602}2604C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953562Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:38.138{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A3-6307-2B00-000000007602}2596C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953561Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:38.138{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A3-6307-2900-000000007602}2580C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953560Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:38.138{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A3-6307-2800-000000007602}2568C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953559Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:38.138{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A3-6307-2700-000000007602}2560C:\Windows\system32\dns.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953558Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:38.138{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A3-6307-2600-000000007602}2552C:\Windows\sysmon64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953557Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:38.138{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A3-6307-2500-000000007602}2476C:\Windows\System32\spoolsv.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953556Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:38.138{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-339C-6307-2300-000000007602}2332C:\Windows\System32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953555Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:38.138{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3393-6307-1D00-000000007602}2088C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953554Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:38.138{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3393-6307-1700-000000007602}1396C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953553Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:38.138{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3393-6307-1600-000000007602}1308C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953552Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:38.138{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3392-6307-1500-000000007602}1256C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953551Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:38.138{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3392-6307-1400-000000007602}1084C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953550Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:38.138{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3392-6307-1300-000000007602}928C:\Windows\system32\dwm.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953549Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:38.138{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3392-6307-1200-000000007602}484C:\Windows\System32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953548Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:38.138{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3392-6307-1100-000000007602}420C:\Windows\System32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953547Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:38.138{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3392-6307-1000-000000007602}440C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953546Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:38.138{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3392-6307-0F00-000000007602}108C:\Windows\System32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953545Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:38.138{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3392-6307-0E00-000000007602}996C:\Windows\system32\LogonUI.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953544Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:38.138{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3392-6307-0D00-000000007602}892C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953543Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:38.138{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3392-6307-0C00-000000007602}836C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953542Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:38.138{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3390-6307-0B00-000000007602}632C:\Windows\system32\lsass.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953541Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:38.138{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3390-6307-0A00-000000007602}624C:\Windows\system32\services.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5d64|C:\Windows\System32\KERNELBASE.dll+25803|C:\Windows\System32\KERNEL32.DLL+169c0|C:\Users\Administrator\Downloads\procexp64.exe+a8288|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953540Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:38.138{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3390-6307-0900-000000007602}572C:\Windows\system32\winlogon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953539Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:38.138{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3390-6307-0800-000000007602}496C:\Windows\system32\csrss.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5d64|C:\Windows\System32\KERNELBASE.dll+25803|C:\Windows\System32\KERNEL32.DLL+169c0|C:\Users\Administrator\Downloads\procexp64.exe+a8288|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953538Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:38.138{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3390-6307-0700-000000007602}488C:\Windows\system32\wininit.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5d64|C:\Windows\System32\KERNELBASE.dll+25803|C:\Windows\System32\KERNEL32.DLL+169c0|C:\Users\Administrator\Downloads\procexp64.exe+a8288|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953537Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:38.138{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3390-6307-0500-000000007602}416C:\Windows\system32\csrss.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5d64|C:\Windows\System32\KERNELBASE.dll+25803|C:\Windows\System32\KERNEL32.DLL+169c0|C:\Users\Administrator\Downloads\procexp64.exe+a8288|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953536Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:38.138{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-338D-6307-0200-000000007602}320C:\Windows\System32\smss.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5d64|C:\Windows\System32\KERNELBASE.dll+25803|C:\Windows\System32\KERNEL32.DLL+169c0|C:\Users\Administrator\Downloads\procexp64.exe+a8288|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953535Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:38.138{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-338D-6307-0100-000000007602}4System0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5d64|C:\Windows\System32\KERNELBASE.dll+25803|C:\Windows\System32\KERNEL32.DLL+169c0|C:\Users\Administrator\Downloads\procexp64.exe+a8288|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000663242Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-25 10:59:39.829{F6DB49F2-33A2-6307-6D00-000000007702}3760NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=987647748961228A69892F76AA7E6092,SHA256=F56636429D21BC920DE1250062F7C3082AFED89D4C406B01EE75342345DED753,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001953679Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:39.753{D25361F1-33B6-6307-7B00-000000007602}2184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6AFA6145BEDD5BE6B7D313E892BF29CB,SHA256=6F887CD752E5DC0206D823FCD9AEC4721FCA57376BE798040915A8FBF6041846,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001953678Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:39.337{D25361F1-33B6-6307-7B00-000000007602}2184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=038ECC02042F660F0B6678FF2094C722,SHA256=BB207BCBFF5AC140FF5D201BA214493067CD934F36E141E5EE1B4E1A757764B0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001953677Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:39.284{D25361F1-3392-6307-0C00-000000007602}8368632C:\Windows\system32\svchost.exe{D25361F1-3392-6307-1500-000000007602}1256C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953676Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:39.284{D25361F1-3392-6307-0C00-000000007602}8368632C:\Windows\system32\svchost.exe{D25361F1-3392-6307-1500-000000007602}1256C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953675Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:39.284{D25361F1-3392-6307-0C00-000000007602}8368632C:\Windows\system32\svchost.exe{D25361F1-3392-6307-1500-000000007602}1256C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953674Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:39.168{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-52AD-6307-E404-000000007602}7476C:\Windows\SYSTEM32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953673Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:39.168{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-4AD7-6307-F503-000000007602}6996C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953672Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:39.168{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-4AD1-6307-F403-000000007602}7488C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953671Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:39.168{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-4AD0-6307-F303-000000007602}9620C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953670Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:39.168{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-4AB4-6307-EB03-000000007602}6088C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953669Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:39.168{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-4A8F-6307-EA03-000000007602}6404C:\Windows\system32\wbem\wmiprvse.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953668Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:39.168{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-49F6-6307-CD03-000000007602}7868C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953667Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:39.168{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-436A-6307-0703-000000007602}6260C:\Program Files\IDA Freeware 8.0\ida64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953666Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:39.168{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-4210-6307-D702-000000007602}7048C:\Windows\System32\win32calc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953665Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:39.168{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-37A5-6307-3901-000000007602}6588C:\Windows\ImmersiveControlPanel\SystemSettings.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953664Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:39.168{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-37A2-6307-3301-000000007602}5680C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953663Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:39.168{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-37A2-6307-3201-000000007602}3700C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953662Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:39.168{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-37A1-6307-3101-000000007602}4360C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953661Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:39.168{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-37A1-6307-3001-000000007602}5144C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953660Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:39.168{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-37A0-6307-2F01-000000007602}4596C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953659Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:39.168{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-361E-6307-FB00-000000007602}6112C:\Users\Administrator\Downloads\Procmon64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953658Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:39.168{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-35FB-6307-F000-000000007602}4288C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953657Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:39.168{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-35E9-6307-E200-000000007602}5316C:\Program Files\Aurora-Agent\aurora-agent.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953656Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:39.168{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-35FB-6307-EF00-000000007602}4276C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953655Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:39.168{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-35E2-6307-E000-000000007602}4860C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953654Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:39.168{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-35E2-6307-DF00-000000007602}4184C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953653Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:39.168{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-35E0-6307-DE00-000000007602}5008C:\Windows\Explorer.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953652Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:39.168{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-35E0-6307-D600-000000007602}4472C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953651Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:39.168{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-35E0-6307-D300-000000007602}4392C:\Windows\System32\rdpclip.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953650Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:39.168{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-35DE-6307-D000-000000007602}3896C:\Windows\system32\dwm.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953649Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:39.168{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-35DD-6307-CE00-000000007602}764C:\Windows\system32\winlogon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953648Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:39.168{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-35DD-6307-CD00-000000007602}1324C:\Windows\system32\csrss.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5d64|C:\Windows\System32\KERNELBASE.dll+25803|C:\Windows\System32\KERNEL32.DLL+169c0|C:\Users\Administrator\Downloads\procexp64.exe+a8288|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953647Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:39.168{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-341E-6307-8900-000000007602}3136C:\Windows\System32\msdtc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953646Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:39.168{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33B6-6307-7B00-000000007602}2184C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953645Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:39.168{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33AF-6307-7100-000000007602}3892C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953644Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:39.168{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A5-6307-4500-000000007602}3548C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953643Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:39.168{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A5-6307-4100-000000007602}3460C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953642Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:39.168{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A4-6307-3A00-000000007602}3188C:\Windows\System32\vds.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953641Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:39.168{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A4-6307-3700-000000007602}3120C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953640Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:39.168{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A3-6307-3100-000000007602}2960C:\Windows\system32\wbem\unsecapp.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953639Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:39.168{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A3-6307-2F00-000000007602}2772C:\Windows\system32\DFSRs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953638Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:39.168{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A3-6307-2E00-000000007602}2764C:\Windows\system32\dfssvc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953637Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:39.168{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A3-6307-2D00-000000007602}2752C:\Windows\System32\ismserv.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953636Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:39.168{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A3-6307-2C00-000000007602}2604C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953635Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:39.168{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A3-6307-2B00-000000007602}2596C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953634Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:39.168{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A3-6307-2900-000000007602}2580C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953633Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:39.168{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A3-6307-2800-000000007602}2568C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953632Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:39.168{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A3-6307-2700-000000007602}2560C:\Windows\system32\dns.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953631Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:39.168{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A3-6307-2600-000000007602}2552C:\Windows\sysmon64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953630Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:39.168{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A3-6307-2500-000000007602}2476C:\Windows\System32\spoolsv.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953629Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:39.168{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-339C-6307-2300-000000007602}2332C:\Windows\System32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953628Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:39.168{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3393-6307-1700-000000007602}1396C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953627Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:39.168{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3393-6307-1D00-000000007602}2088C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953626Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:39.168{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3393-6307-1600-000000007602}1308C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953625Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:39.168{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3392-6307-1500-000000007602}1256C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953624Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:39.168{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3392-6307-1400-000000007602}1084C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953623Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:39.168{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3392-6307-1300-000000007602}928C:\Windows\system32\dwm.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953622Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:39.168{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3392-6307-1200-000000007602}484C:\Windows\System32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953621Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:39.168{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3392-6307-1100-000000007602}420C:\Windows\System32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953620Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:39.168{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3392-6307-1000-000000007602}440C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953619Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:39.168{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3392-6307-0F00-000000007602}108C:\Windows\System32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953618Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:39.168{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3392-6307-0E00-000000007602}996C:\Windows\system32\LogonUI.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953617Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:39.168{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3392-6307-0D00-000000007602}892C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953616Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:39.168{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3392-6307-0C00-000000007602}836C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953615Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:39.168{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3390-6307-0B00-000000007602}632C:\Windows\system32\lsass.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953614Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:39.168{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3390-6307-0A00-000000007602}624C:\Windows\system32\services.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5d64|C:\Windows\System32\KERNELBASE.dll+25803|C:\Windows\System32\KERNEL32.DLL+169c0|C:\Users\Administrator\Downloads\procexp64.exe+a8288|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953613Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:39.168{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3390-6307-0900-000000007602}572C:\Windows\system32\winlogon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953612Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:39.168{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3390-6307-0800-000000007602}496C:\Windows\system32\csrss.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5d64|C:\Windows\System32\KERNELBASE.dll+25803|C:\Windows\System32\KERNEL32.DLL+169c0|C:\Users\Administrator\Downloads\procexp64.exe+a8288|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953611Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:39.168{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3390-6307-0700-000000007602}488C:\Windows\system32\wininit.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5d64|C:\Windows\System32\KERNELBASE.dll+25803|C:\Windows\System32\KERNEL32.DLL+169c0|C:\Users\Administrator\Downloads\procexp64.exe+a8288|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953610Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:39.168{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3390-6307-0500-000000007602}416C:\Windows\system32\csrss.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5d64|C:\Windows\System32\KERNELBASE.dll+25803|C:\Windows\System32\KERNEL32.DLL+169c0|C:\Users\Administrator\Downloads\procexp64.exe+a8288|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953609Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:39.168{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-338D-6307-0200-000000007602}320C:\Windows\System32\smss.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5d64|C:\Windows\System32\KERNELBASE.dll+25803|C:\Windows\System32\KERNEL32.DLL+169c0|C:\Users\Administrator\Downloads\procexp64.exe+a8288|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953608Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:39.168{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-338D-6307-0100-000000007602}4System0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5d64|C:\Windows\System32\KERNELBASE.dll+25803|C:\Windows\System32\KERNEL32.DLL+169c0|C:\Users\Administrator\Downloads\procexp64.exe+a8288|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000663243Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-25 10:59:40.913{F6DB49F2-33A2-6307-6D00-000000007702}3760NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A210A48FA28786BC2C78217F8DD9F428,SHA256=2FDFF29FB98855A62767CEA85423B744C30E5F85E4F1A899CD2AC81387E91F95,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001953748Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:40.919{D25361F1-33B6-6307-7B00-000000007602}2184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F55811FC0D9C7EFB0DCFB2581F2498EC,SHA256=8E556AB310DC044869E2B11FB9ED9A73BBDF3A5C68A8D7BF192B5B6C5FFB442A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001953747Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:40.283{D25361F1-33B6-6307-7B00-000000007602}2184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=932BEC59CA62760B58DD49F806A33A0B,SHA256=A4D1E6EBF0B32D506DED5CE441CD2EFFBB5C1F5EC5EFC0B333D0746EB6B9CDDF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001953746Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:40.189{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-52AD-6307-E404-000000007602}7476C:\Windows\SYSTEM32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953745Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:40.189{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-4AD7-6307-F503-000000007602}6996C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953744Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:40.189{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-4AD1-6307-F403-000000007602}7488C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953743Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:40.189{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-4AD0-6307-F303-000000007602}9620C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953742Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:40.189{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-4AB4-6307-EB03-000000007602}6088C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953741Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:40.189{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-4A8F-6307-EA03-000000007602}6404C:\Windows\system32\wbem\wmiprvse.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953740Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:40.189{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-49F6-6307-CD03-000000007602}7868C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953739Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:40.189{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-436A-6307-0703-000000007602}6260C:\Program Files\IDA Freeware 8.0\ida64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953738Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:40.189{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-4210-6307-D702-000000007602}7048C:\Windows\System32\win32calc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953737Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:40.188{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-37A5-6307-3901-000000007602}6588C:\Windows\ImmersiveControlPanel\SystemSettings.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953736Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:40.188{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-37A2-6307-3301-000000007602}5680C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953735Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:40.187{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-37A2-6307-3201-000000007602}3700C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953734Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:40.187{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-37A1-6307-3101-000000007602}4360C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953733Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:40.187{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-37A1-6307-3001-000000007602}5144C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953732Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:40.187{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-37A0-6307-2F01-000000007602}4596C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953731Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:40.187{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-361E-6307-FB00-000000007602}6112C:\Users\Administrator\Downloads\Procmon64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953730Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:40.183{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-35FB-6307-F000-000000007602}4288C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953729Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:40.183{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-35FB-6307-EF00-000000007602}4276C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953728Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:40.183{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-35E9-6307-E200-000000007602}5316C:\Program Files\Aurora-Agent\aurora-agent.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953727Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:40.183{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-35E2-6307-E000-000000007602}4860C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953726Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:40.182{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-35E2-6307-DF00-000000007602}4184C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953725Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:40.182{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-35E0-6307-DE00-000000007602}5008C:\Windows\Explorer.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953724Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:40.182{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-35E0-6307-D600-000000007602}4472C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953723Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:40.182{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-35E0-6307-D300-000000007602}4392C:\Windows\System32\rdpclip.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953722Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:40.181{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-35DE-6307-D000-000000007602}3896C:\Windows\system32\dwm.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953721Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:40.181{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-35DD-6307-CE00-000000007602}764C:\Windows\system32\winlogon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953720Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:40.181{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-35DD-6307-CD00-000000007602}1324C:\Windows\system32\csrss.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5d64|C:\Windows\System32\KERNELBASE.dll+25803|C:\Windows\System32\KERNEL32.DLL+169c0|C:\Users\Administrator\Downloads\procexp64.exe+a8288|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953719Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:40.181{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-341E-6307-8900-000000007602}3136C:\Windows\System32\msdtc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953718Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:40.181{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33B6-6307-7B00-000000007602}2184C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953717Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:40.180{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33AF-6307-7100-000000007602}3892C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953716Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:40.180{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A5-6307-4500-000000007602}3548C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953715Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:40.180{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A5-6307-4100-000000007602}3460C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953714Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:40.180{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A4-6307-3A00-000000007602}3188C:\Windows\System32\vds.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953713Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:40.180{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A4-6307-3700-000000007602}3120C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953712Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:40.180{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A3-6307-3100-000000007602}2960C:\Windows\system32\wbem\unsecapp.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953711Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:40.179{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A3-6307-2F00-000000007602}2772C:\Windows\system32\DFSRs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953710Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:40.179{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A3-6307-2E00-000000007602}2764C:\Windows\system32\dfssvc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953709Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:40.179{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A3-6307-2C00-000000007602}2604C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953708Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:40.179{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A3-6307-2D00-000000007602}2752C:\Windows\System32\ismserv.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953707Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:40.178{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A3-6307-2B00-000000007602}2596C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953706Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:40.178{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A3-6307-2900-000000007602}2580C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953705Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:40.177{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A3-6307-2800-000000007602}2568C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953704Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:40.177{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A3-6307-2700-000000007602}2560C:\Windows\system32\dns.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953703Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:40.177{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A3-6307-2600-000000007602}2552C:\Windows\sysmon64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953702Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:40.176{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A3-6307-2500-000000007602}2476C:\Windows\System32\spoolsv.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953701Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:40.176{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-339C-6307-2300-000000007602}2332C:\Windows\System32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953700Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:40.175{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3393-6307-1D00-000000007602}2088C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953699Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:40.174{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3393-6307-1700-000000007602}1396C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953698Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:40.174{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3393-6307-1600-000000007602}1308C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953697Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:40.174{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3392-6307-1500-000000007602}1256C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953696Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:40.174{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3392-6307-1400-000000007602}1084C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953695Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:40.174{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3392-6307-1300-000000007602}928C:\Windows\system32\dwm.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953694Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:40.174{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3392-6307-1200-000000007602}484C:\Windows\System32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953693Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:40.174{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3392-6307-1100-000000007602}420C:\Windows\System32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953692Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:40.174{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3392-6307-1000-000000007602}440C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953691Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:40.174{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3392-6307-0F00-000000007602}108C:\Windows\System32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953690Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:40.173{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3392-6307-0E00-000000007602}996C:\Windows\system32\LogonUI.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953689Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:40.173{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3392-6307-0D00-000000007602}892C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953688Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:40.173{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3392-6307-0C00-000000007602}836C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953687Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:40.173{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3390-6307-0B00-000000007602}632C:\Windows\system32\lsass.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953686Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:40.173{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3390-6307-0A00-000000007602}624C:\Windows\system32\services.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5d64|C:\Windows\System32\KERNELBASE.dll+25803|C:\Windows\System32\KERNEL32.DLL+169c0|C:\Users\Administrator\Downloads\procexp64.exe+a8288|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953685Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:40.172{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3390-6307-0900-000000007602}572C:\Windows\system32\winlogon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953684Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:40.172{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3390-6307-0800-000000007602}496C:\Windows\system32\csrss.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5d64|C:\Windows\System32\KERNELBASE.dll+25803|C:\Windows\System32\KERNEL32.DLL+169c0|C:\Users\Administrator\Downloads\procexp64.exe+a8288|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953683Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:40.172{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3390-6307-0700-000000007602}488C:\Windows\system32\wininit.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5d64|C:\Windows\System32\KERNELBASE.dll+25803|C:\Windows\System32\KERNEL32.DLL+169c0|C:\Users\Administrator\Downloads\procexp64.exe+a8288|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953682Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:40.172{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3390-6307-0500-000000007602}416C:\Windows\system32\csrss.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5d64|C:\Windows\System32\KERNELBASE.dll+25803|C:\Windows\System32\KERNEL32.DLL+169c0|C:\Users\Administrator\Downloads\procexp64.exe+a8288|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953681Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:40.170{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-338D-6307-0200-000000007602}320C:\Windows\System32\smss.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5d64|C:\Windows\System32\KERNELBASE.dll+25803|C:\Windows\System32\KERNEL32.DLL+169c0|C:\Users\Administrator\Downloads\procexp64.exe+a8288|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953680Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:40.170{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-338D-6307-0100-000000007602}4System0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5d64|C:\Windows\System32\KERNELBASE.dll+25803|C:\Windows\System32\KERNEL32.DLL+169c0|C:\Users\Administrator\Downloads\procexp64.exe+a8288|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953842Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:41.631{D25361F1-35E9-6307-E200-000000007602}53164992C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-33A3-6307-2E00-000000007602}2764C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000017A3C190) 10341000x80000000000000001953841Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:41.625{D25361F1-35E9-6307-E200-000000007602}53164992C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-33A3-6307-2F00-000000007602}2772C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000017A3C190) 10341000x80000000000000001953840Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:41.624{D25361F1-35E9-6307-E200-000000007602}53164992C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-33A3-6307-2D00-000000007602}2752C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000017A3C190) 10341000x80000000000000001953839Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:41.620{D25361F1-35E9-6307-E200-000000007602}53164992C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-33A3-6307-2C00-000000007602}2604C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000017A3C190) 10341000x80000000000000001953838Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:41.618{D25361F1-35E9-6307-E200-000000007602}53164992C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-33A3-6307-2B00-000000007602}2596C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000017A3C190) 10341000x80000000000000001953837Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:41.615{D25361F1-35E9-6307-E200-000000007602}53164992C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-33A3-6307-2900-000000007602}2580C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000017A3C190) 10341000x80000000000000001953836Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:41.609{D25361F1-35E9-6307-E200-000000007602}53164992C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-33A3-6307-2800-000000007602}2568C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000017A3C190) 23542300x80000000000000001953835Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:41.386{D25361F1-33B6-6307-7B00-000000007602}2184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5120BD7765A364A46AE92E10B833EB88,SHA256=FAD78E618D6EFCA24B9437D14F67D43230250B6E851EDBE8AA0595DA2014D61C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001953834Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:41.295{D25361F1-35E9-6307-E200-000000007602}53164992C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-33A3-6307-2700-000000007602}2560C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000017A3C190) 10341000x80000000000000001953833Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:41.291{D25361F1-35E9-6307-E200-000000007602}53164992C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-33A3-6307-2600-000000007602}2552C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000017A3C190) 10341000x80000000000000001953832Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:41.286{D25361F1-35E9-6307-E200-000000007602}53164992C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-33A3-6307-2500-000000007602}2476C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000017A3C190) 10341000x80000000000000001953831Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:41.283{D25361F1-35E9-6307-E200-000000007602}53164992C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-339C-6307-2300-000000007602}2332C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000017A3C190) 10341000x80000000000000001953830Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:41.282{D25361F1-35E9-6307-E200-000000007602}53164992C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-3393-6307-1D00-000000007602}2088C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000017A3C190) 10341000x80000000000000001953829Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:41.280{D25361F1-35E9-6307-E200-000000007602}53164992C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-3393-6307-1700-000000007602}1396C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000017A3C190) 10341000x80000000000000001953828Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:41.259{D25361F1-35E9-6307-E200-000000007602}53164992C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-3393-6307-1600-000000007602}1308C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000017A3C190) 10341000x80000000000000001953827Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:41.254{D25361F1-35E9-6307-E200-000000007602}53164992C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-3392-6307-1500-000000007602}1256C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000017A3C190) 10341000x80000000000000001953826Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:41.244{D25361F1-35E9-6307-E200-000000007602}53164992C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-3392-6307-1400-000000007602}1084C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000017A3C190) 10341000x80000000000000001953825Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:41.239{D25361F1-35E9-6307-E200-000000007602}53164992C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-3392-6307-1300-000000007602}928C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000017A3C190) 10341000x80000000000000001953824Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:41.232{D25361F1-35E9-6307-E200-000000007602}53164992C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-3392-6307-1200-000000007602}484C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000017A3C190) 10341000x80000000000000001953823Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:41.204{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-52AD-6307-E404-000000007602}7476C:\Windows\SYSTEM32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953822Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:41.204{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-4AD7-6307-F503-000000007602}6996C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953821Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:41.203{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-4AD1-6307-F403-000000007602}7488C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953820Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:41.203{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-4AD0-6307-F303-000000007602}9620C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953819Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:41.203{D25361F1-35E9-6307-E200-000000007602}53164992C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-3392-6307-1100-000000007602}420C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000017A3C190) 10341000x80000000000000001953818Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:41.203{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-4AB4-6307-EB03-000000007602}6088C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953817Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:41.203{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-4A8F-6307-EA03-000000007602}6404C:\Windows\system32\wbem\wmiprvse.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953816Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:41.203{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-49F6-6307-CD03-000000007602}7868C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953815Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:41.203{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-436A-6307-0703-000000007602}6260C:\Program Files\IDA Freeware 8.0\ida64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953814Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:41.203{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-4210-6307-D702-000000007602}7048C:\Windows\System32\win32calc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953813Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:41.202{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-37A5-6307-3901-000000007602}6588C:\Windows\ImmersiveControlPanel\SystemSettings.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953812Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:41.202{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-37A2-6307-3301-000000007602}5680C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953811Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:41.201{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-37A2-6307-3201-000000007602}3700C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953810Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:41.201{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-37A1-6307-3101-000000007602}4360C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953809Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:41.201{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-37A1-6307-3001-000000007602}5144C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953808Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:41.201{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-37A0-6307-2F01-000000007602}4596C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953807Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:41.201{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-361E-6307-FB00-000000007602}6112C:\Users\Administrator\Downloads\Procmon64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953806Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:41.200{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-35FB-6307-F000-000000007602}4288C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953805Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:41.200{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-35FB-6307-EF00-000000007602}4276C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953804Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:41.200{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-35E9-6307-E200-000000007602}5316C:\Program Files\Aurora-Agent\aurora-agent.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953803Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:41.200{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-35E2-6307-E000-000000007602}4860C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953802Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:41.200{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-35E2-6307-DF00-000000007602}4184C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953801Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:41.199{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-35E0-6307-DE00-000000007602}5008C:\Windows\Explorer.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953800Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:41.199{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-35E0-6307-D600-000000007602}4472C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953799Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:41.199{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-35E0-6307-D300-000000007602}4392C:\Windows\System32\rdpclip.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953798Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:41.199{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-35DE-6307-D000-000000007602}3896C:\Windows\system32\dwm.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953797Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:41.198{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-35DD-6307-CE00-000000007602}764C:\Windows\system32\winlogon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953796Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:41.198{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-35DD-6307-CD00-000000007602}1324C:\Windows\system32\csrss.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5d64|C:\Windows\System32\KERNELBASE.dll+25803|C:\Windows\System32\KERNEL32.DLL+169c0|C:\Users\Administrator\Downloads\procexp64.exe+a8288|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953795Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:41.198{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-341E-6307-8900-000000007602}3136C:\Windows\System32\msdtc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953794Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:41.198{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33B6-6307-7B00-000000007602}2184C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953793Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:41.198{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33AF-6307-7100-000000007602}3892C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953792Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:41.198{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A5-6307-4500-000000007602}3548C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953791Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:41.197{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A5-6307-4100-000000007602}3460C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953790Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:41.197{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A4-6307-3A00-000000007602}3188C:\Windows\System32\vds.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953789Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:41.197{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A4-6307-3700-000000007602}3120C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953788Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:41.197{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A3-6307-3100-000000007602}2960C:\Windows\system32\wbem\unsecapp.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953787Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:41.197{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A3-6307-2F00-000000007602}2772C:\Windows\system32\DFSRs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953786Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:41.197{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A3-6307-2E00-000000007602}2764C:\Windows\system32\dfssvc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953785Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:41.197{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A3-6307-2D00-000000007602}2752C:\Windows\System32\ismserv.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953784Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:41.197{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A3-6307-2C00-000000007602}2604C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953783Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:41.196{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A3-6307-2B00-000000007602}2596C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953782Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:41.196{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A3-6307-2900-000000007602}2580C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953781Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:41.195{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A3-6307-2800-000000007602}2568C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953780Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:41.195{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A3-6307-2700-000000007602}2560C:\Windows\system32\dns.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953779Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:41.195{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A3-6307-2600-000000007602}2552C:\Windows\sysmon64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953778Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:41.195{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A3-6307-2500-000000007602}2476C:\Windows\System32\spoolsv.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953777Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:41.195{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-339C-6307-2300-000000007602}2332C:\Windows\System32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953776Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:41.195{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3393-6307-1D00-000000007602}2088C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953775Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:41.194{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3393-6307-1700-000000007602}1396C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953774Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:41.194{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3393-6307-1600-000000007602}1308C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953773Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:41.194{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3392-6307-1500-000000007602}1256C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953772Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:41.194{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3392-6307-1400-000000007602}1084C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953771Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:41.194{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3392-6307-1300-000000007602}928C:\Windows\system32\dwm.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953770Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:41.194{D25361F1-35E9-6307-E200-000000007602}53164992C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-3392-6307-1000-000000007602}440C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000017A3C190) 10341000x80000000000000001953769Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:41.194{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3392-6307-1200-000000007602}484C:\Windows\System32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953768Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:41.194{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3392-6307-1100-000000007602}420C:\Windows\System32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953767Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:41.194{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3392-6307-1000-000000007602}440C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953766Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:41.193{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3392-6307-0F00-000000007602}108C:\Windows\System32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953765Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:41.193{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3392-6307-0E00-000000007602}996C:\Windows\system32\LogonUI.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953764Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:41.193{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3392-6307-0D00-000000007602}892C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953763Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:41.193{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3392-6307-0C00-000000007602}836C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953762Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:41.193{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3390-6307-0B00-000000007602}632C:\Windows\system32\lsass.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953761Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:41.192{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3390-6307-0A00-000000007602}624C:\Windows\system32\services.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5d64|C:\Windows\System32\KERNELBASE.dll+25803|C:\Windows\System32\KERNEL32.DLL+169c0|C:\Users\Administrator\Downloads\procexp64.exe+a8288|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953760Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:41.192{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3390-6307-0900-000000007602}572C:\Windows\system32\winlogon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953759Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:41.192{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3390-6307-0800-000000007602}496C:\Windows\system32\csrss.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5d64|C:\Windows\System32\KERNELBASE.dll+25803|C:\Windows\System32\KERNEL32.DLL+169c0|C:\Users\Administrator\Downloads\procexp64.exe+a8288|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953758Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:41.192{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3390-6307-0700-000000007602}488C:\Windows\system32\wininit.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5d64|C:\Windows\System32\KERNELBASE.dll+25803|C:\Windows\System32\KERNEL32.DLL+169c0|C:\Users\Administrator\Downloads\procexp64.exe+a8288|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953757Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:41.192{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3390-6307-0500-000000007602}416C:\Windows\system32\csrss.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5d64|C:\Windows\System32\KERNELBASE.dll+25803|C:\Windows\System32\KERNEL32.DLL+169c0|C:\Users\Administrator\Downloads\procexp64.exe+a8288|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953756Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:41.191{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-338D-6307-0200-000000007602}320C:\Windows\System32\smss.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5d64|C:\Windows\System32\KERNELBASE.dll+25803|C:\Windows\System32\KERNEL32.DLL+169c0|C:\Users\Administrator\Downloads\procexp64.exe+a8288|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953755Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:41.191{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-338D-6307-0100-000000007602}4System0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5d64|C:\Windows\System32\KERNELBASE.dll+25803|C:\Windows\System32\KERNEL32.DLL+169c0|C:\Users\Administrator\Downloads\procexp64.exe+a8288|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953754Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:41.183{D25361F1-35E9-6307-E200-000000007602}53164992C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-3392-6307-0F00-000000007602}108C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000017A3C190) 10341000x80000000000000001953753Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:41.176{D25361F1-35E9-6307-E200-000000007602}53164992C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-3392-6307-0E00-000000007602}996C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000017A3C190) 10341000x80000000000000001953752Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:41.169{D25361F1-35E9-6307-E200-000000007602}53164992C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-3392-6307-0D00-000000007602}892C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000017A3C190) 10341000x80000000000000001953751Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:41.162{D25361F1-35E9-6307-E200-000000007602}53164992C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-3392-6307-0C00-000000007602}836C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000017A3C190) 10341000x80000000000000001953750Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:41.130{D25361F1-35E9-6307-E200-000000007602}53164992C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-3390-6307-0B00-000000007602}632C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000017A3C190) 10341000x80000000000000001953749Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:41.128{D25361F1-35E9-6307-E200-000000007602}53164992C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-3390-6307-0900-000000007602}572C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000017A3C190) 23542300x8000000000000000663244Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-25 10:59:42.000{F6DB49F2-33A2-6307-6D00-000000007702}3760NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C86F41FAB6AA355C61D61C3F1DE31498,SHA256=E25C0EC071E790B4CDCB9B02AAFDE4C77521BDE0D6DE9D289701291E1DC6E5F1,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001953912Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:40.755{D25361F1-33AF-6307-7100-000000007602}3892C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-854.attackrange.local64276-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x80000000000000001953911Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:42.435{D25361F1-33B6-6307-7B00-000000007602}2184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=12F572270CA8E497CE6444BD2A20090D,SHA256=9FDD26D6C4D92B1AEEA188729C5434111D749D5102D59309B41CB85FB8A24880,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001953910Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:42.416{D25361F1-33B6-6307-7B00-000000007602}2184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=786843CDDF3108DDBB482324743AB038,SHA256=AF55B726CD2298BA9522532E2EE899DBE1D812CE7EEA19B4F9B4661775F37888,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001953909Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:42.220{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-52AD-6307-E404-000000007602}7476C:\Windows\SYSTEM32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953908Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:42.220{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-4AD7-6307-F503-000000007602}6996C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953907Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:42.220{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-4AD1-6307-F403-000000007602}7488C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953906Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:42.220{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-4AD0-6307-F303-000000007602}9620C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953905Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:42.220{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-4AB4-6307-EB03-000000007602}6088C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953904Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:42.220{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-4A8F-6307-EA03-000000007602}6404C:\Windows\system32\wbem\wmiprvse.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953903Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:42.220{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-49F6-6307-CD03-000000007602}7868C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953902Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:42.220{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-436A-6307-0703-000000007602}6260C:\Program Files\IDA Freeware 8.0\ida64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953901Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:42.220{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-4210-6307-D702-000000007602}7048C:\Windows\System32\win32calc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953900Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:42.220{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-37A5-6307-3901-000000007602}6588C:\Windows\ImmersiveControlPanel\SystemSettings.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953899Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:42.220{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-37A2-6307-3301-000000007602}5680C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953898Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:42.220{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-37A2-6307-3201-000000007602}3700C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953897Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:42.220{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-37A1-6307-3101-000000007602}4360C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953896Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:42.220{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-37A1-6307-3001-000000007602}5144C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953895Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:42.220{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-37A0-6307-2F01-000000007602}4596C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953894Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:42.220{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-361E-6307-FB00-000000007602}6112C:\Users\Administrator\Downloads\Procmon64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953893Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:42.220{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-35FB-6307-F000-000000007602}4288C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953892Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:42.220{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-35FB-6307-EF00-000000007602}4276C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953891Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:42.220{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-35E9-6307-E200-000000007602}5316C:\Program Files\Aurora-Agent\aurora-agent.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953890Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:42.220{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-35E2-6307-E000-000000007602}4860C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953889Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:42.220{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-35E2-6307-DF00-000000007602}4184C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953888Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:42.220{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-35E0-6307-DE00-000000007602}5008C:\Windows\Explorer.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953887Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:42.220{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-35E0-6307-D600-000000007602}4472C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953886Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:42.220{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-35E0-6307-D300-000000007602}4392C:\Windows\System32\rdpclip.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953885Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:42.220{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-35DE-6307-D000-000000007602}3896C:\Windows\system32\dwm.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953884Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:42.220{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-35DD-6307-CE00-000000007602}764C:\Windows\system32\winlogon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953883Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:42.220{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-35DD-6307-CD00-000000007602}1324C:\Windows\system32\csrss.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5d64|C:\Windows\System32\KERNELBASE.dll+25803|C:\Windows\System32\KERNEL32.DLL+169c0|C:\Users\Administrator\Downloads\procexp64.exe+a8288|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953882Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:42.220{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-341E-6307-8900-000000007602}3136C:\Windows\System32\msdtc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953881Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:42.220{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33B6-6307-7B00-000000007602}2184C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953880Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:42.220{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33AF-6307-7100-000000007602}3892C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953879Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:42.220{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A5-6307-4500-000000007602}3548C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953878Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:42.220{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A5-6307-4100-000000007602}3460C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953877Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:42.220{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A4-6307-3A00-000000007602}3188C:\Windows\System32\vds.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953876Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:42.220{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A4-6307-3700-000000007602}3120C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953875Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:42.220{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A3-6307-3100-000000007602}2960C:\Windows\system32\wbem\unsecapp.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953874Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:42.220{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A3-6307-2F00-000000007602}2772C:\Windows\system32\DFSRs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953873Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:42.220{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A3-6307-2E00-000000007602}2764C:\Windows\system32\dfssvc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953872Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:42.220{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A3-6307-2D00-000000007602}2752C:\Windows\System32\ismserv.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953871Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:42.220{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A3-6307-2C00-000000007602}2604C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953870Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:42.220{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A3-6307-2B00-000000007602}2596C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953869Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:42.220{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A3-6307-2900-000000007602}2580C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953868Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:42.220{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A3-6307-2800-000000007602}2568C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953867Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:42.220{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A3-6307-2700-000000007602}2560C:\Windows\system32\dns.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953866Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:42.220{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A3-6307-2600-000000007602}2552C:\Windows\sysmon64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953865Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:42.220{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A3-6307-2500-000000007602}2476C:\Windows\System32\spoolsv.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953864Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:42.220{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-339C-6307-2300-000000007602}2332C:\Windows\System32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953863Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:42.220{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3393-6307-1D00-000000007602}2088C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953862Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:42.220{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3393-6307-1700-000000007602}1396C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953861Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:42.220{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3393-6307-1600-000000007602}1308C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953860Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:42.220{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3392-6307-1500-000000007602}1256C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953859Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:42.220{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3392-6307-1400-000000007602}1084C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953858Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:42.220{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3392-6307-1300-000000007602}928C:\Windows\system32\dwm.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953857Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:42.220{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3392-6307-1200-000000007602}484C:\Windows\System32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953856Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:42.220{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3392-6307-1100-000000007602}420C:\Windows\System32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953855Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:42.220{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3392-6307-1000-000000007602}440C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953854Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:42.220{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3392-6307-0F00-000000007602}108C:\Windows\System32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953853Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:42.220{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3392-6307-0E00-000000007602}996C:\Windows\system32\LogonUI.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953852Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:42.220{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3392-6307-0D00-000000007602}892C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953851Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:42.220{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3392-6307-0C00-000000007602}836C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953850Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:42.220{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3390-6307-0B00-000000007602}632C:\Windows\system32\lsass.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953849Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:42.220{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3390-6307-0A00-000000007602}624C:\Windows\system32\services.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5d64|C:\Windows\System32\KERNELBASE.dll+25803|C:\Windows\System32\KERNEL32.DLL+169c0|C:\Users\Administrator\Downloads\procexp64.exe+a8288|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953848Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:42.220{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3390-6307-0900-000000007602}572C:\Windows\system32\winlogon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953847Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:42.220{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3390-6307-0800-000000007602}496C:\Windows\system32\csrss.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5d64|C:\Windows\System32\KERNELBASE.dll+25803|C:\Windows\System32\KERNEL32.DLL+169c0|C:\Users\Administrator\Downloads\procexp64.exe+a8288|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953846Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:42.220{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3390-6307-0700-000000007602}488C:\Windows\system32\wininit.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5d64|C:\Windows\System32\KERNELBASE.dll+25803|C:\Windows\System32\KERNEL32.DLL+169c0|C:\Users\Administrator\Downloads\procexp64.exe+a8288|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953845Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:42.220{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3390-6307-0500-000000007602}416C:\Windows\system32\csrss.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5d64|C:\Windows\System32\KERNELBASE.dll+25803|C:\Windows\System32\KERNEL32.DLL+169c0|C:\Users\Administrator\Downloads\procexp64.exe+a8288|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953844Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:42.220{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-338D-6307-0200-000000007602}320C:\Windows\System32\smss.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5d64|C:\Windows\System32\KERNELBASE.dll+25803|C:\Windows\System32\KERNEL32.DLL+169c0|C:\Users\Administrator\Downloads\procexp64.exe+a8288|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953843Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:42.220{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-338D-6307-0100-000000007602}4System0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5d64|C:\Windows\System32\KERNELBASE.dll+25803|C:\Windows\System32\KERNEL32.DLL+169c0|C:\Users\Administrator\Downloads\procexp64.exe+a8288|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000663245Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-25 10:59:43.095{F6DB49F2-33A2-6307-6D00-000000007702}3760NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5BF210DAA3891F9F646D0D061AA73D05,SHA256=FAFABF18055803077408A7DE6C5DA305C21D0104932F59144FB5836C7D23D163,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001953984Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:43.689{D25361F1-35E9-6307-E200-000000007602}53164992C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-33A4-6307-3A00-000000007602}3188C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000017A3C190) 10341000x80000000000000001953983Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:43.685{D25361F1-35E9-6307-E200-000000007602}53164992C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-33A4-6307-3700-000000007602}3120C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000017A3C190) 10341000x80000000000000001953982Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:43.681{D25361F1-35E9-6307-E200-000000007602}53164992C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-33A3-6307-3100-000000007602}2960C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000017A3C190) 23542300x80000000000000001953981Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:43.550{D25361F1-33B6-6307-7B00-000000007602}2184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D1CC51217A8D575EF33D2495A5CFFA93,SHA256=A624B173626751C9EE352341800A49F7DAE612D09484B43E6A31A7E156A5B737,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001953980Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:43.550{D25361F1-33B6-6307-7B00-000000007602}2184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3526F17D191466596F70C323DAA0E85B,SHA256=54989828BF326D635A7A11856ED4BFDF7DFC44FFB1A06F5AEF7B49F53E918C6E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001953979Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:43.251{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-52AD-6307-E404-000000007602}7476C:\Windows\SYSTEM32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953978Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:43.251{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-4AD7-6307-F503-000000007602}6996C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953977Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:43.251{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-4AD1-6307-F403-000000007602}7488C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953976Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:43.251{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-4AD0-6307-F303-000000007602}9620C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953975Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:43.251{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-4AB4-6307-EB03-000000007602}6088C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953974Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:43.251{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-4A8F-6307-EA03-000000007602}6404C:\Windows\system32\wbem\wmiprvse.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953973Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:43.251{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-49F6-6307-CD03-000000007602}7868C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953972Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:43.251{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-436A-6307-0703-000000007602}6260C:\Program Files\IDA Freeware 8.0\ida64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953971Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:43.251{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-4210-6307-D702-000000007602}7048C:\Windows\System32\win32calc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953970Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:43.251{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-37A5-6307-3901-000000007602}6588C:\Windows\ImmersiveControlPanel\SystemSettings.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953969Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:43.251{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-37A2-6307-3301-000000007602}5680C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953968Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:43.251{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-37A2-6307-3201-000000007602}3700C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953967Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:43.251{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-37A1-6307-3101-000000007602}4360C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953966Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:43.235{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-37A1-6307-3001-000000007602}5144C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953965Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:43.235{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-37A0-6307-2F01-000000007602}4596C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953964Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:43.235{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-361E-6307-FB00-000000007602}6112C:\Users\Administrator\Downloads\Procmon64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953963Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:43.235{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-35FB-6307-F000-000000007602}4288C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953962Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:43.235{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-35E9-6307-E200-000000007602}5316C:\Program Files\Aurora-Agent\aurora-agent.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953961Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:43.235{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-35FB-6307-EF00-000000007602}4276C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953960Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:43.235{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-35E2-6307-E000-000000007602}4860C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953959Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:43.235{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-35E2-6307-DF00-000000007602}4184C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953958Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:43.235{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-35E0-6307-DE00-000000007602}5008C:\Windows\Explorer.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953957Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:43.235{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-35E0-6307-D600-000000007602}4472C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953956Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:43.235{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-35E0-6307-D300-000000007602}4392C:\Windows\System32\rdpclip.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953955Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:43.235{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-35DE-6307-D000-000000007602}3896C:\Windows\system32\dwm.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953954Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:43.235{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-35DD-6307-CE00-000000007602}764C:\Windows\system32\winlogon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953953Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:43.235{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-35DD-6307-CD00-000000007602}1324C:\Windows\system32\csrss.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5d64|C:\Windows\System32\KERNELBASE.dll+25803|C:\Windows\System32\KERNEL32.DLL+169c0|C:\Users\Administrator\Downloads\procexp64.exe+a8288|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953952Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:43.235{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-341E-6307-8900-000000007602}3136C:\Windows\System32\msdtc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953951Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:43.235{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33B6-6307-7B00-000000007602}2184C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953950Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:43.235{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33AF-6307-7100-000000007602}3892C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953949Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:43.235{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A5-6307-4500-000000007602}3548C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953948Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:43.235{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A5-6307-4100-000000007602}3460C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953947Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:43.235{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A4-6307-3A00-000000007602}3188C:\Windows\System32\vds.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953946Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:43.235{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A4-6307-3700-000000007602}3120C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953945Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:43.235{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A3-6307-3100-000000007602}2960C:\Windows\system32\wbem\unsecapp.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953944Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:43.235{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A3-6307-2F00-000000007602}2772C:\Windows\system32\DFSRs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953943Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:43.235{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A3-6307-2E00-000000007602}2764C:\Windows\system32\dfssvc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953942Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:43.235{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A3-6307-2D00-000000007602}2752C:\Windows\System32\ismserv.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953941Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:43.235{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A3-6307-2C00-000000007602}2604C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953940Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:43.235{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A3-6307-2B00-000000007602}2596C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953939Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:43.235{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A3-6307-2900-000000007602}2580C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953938Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:43.235{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A3-6307-2800-000000007602}2568C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953937Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:43.235{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A3-6307-2700-000000007602}2560C:\Windows\system32\dns.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953936Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:43.235{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A3-6307-2600-000000007602}2552C:\Windows\sysmon64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953935Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:43.235{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A3-6307-2500-000000007602}2476C:\Windows\System32\spoolsv.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953934Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:43.235{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-339C-6307-2300-000000007602}2332C:\Windows\System32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953933Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:43.235{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3393-6307-1D00-000000007602}2088C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953932Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:43.235{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3393-6307-1700-000000007602}1396C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953931Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:43.235{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3393-6307-1600-000000007602}1308C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953930Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:43.235{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3392-6307-1500-000000007602}1256C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953929Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:43.235{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3392-6307-1400-000000007602}1084C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953928Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:43.235{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3392-6307-1300-000000007602}928C:\Windows\system32\dwm.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953927Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:43.235{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3392-6307-1200-000000007602}484C:\Windows\System32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953926Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:43.235{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3392-6307-1100-000000007602}420C:\Windows\System32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953925Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:43.235{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3392-6307-1000-000000007602}440C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953924Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:43.235{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3392-6307-0F00-000000007602}108C:\Windows\System32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953923Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:43.235{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3392-6307-0E00-000000007602}996C:\Windows\system32\LogonUI.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953922Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:43.235{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3392-6307-0D00-000000007602}892C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953921Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:43.235{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3392-6307-0C00-000000007602}836C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953920Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:43.235{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3390-6307-0B00-000000007602}632C:\Windows\system32\lsass.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953919Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:43.235{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3390-6307-0A00-000000007602}624C:\Windows\system32\services.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5d64|C:\Windows\System32\KERNELBASE.dll+25803|C:\Windows\System32\KERNEL32.DLL+169c0|C:\Users\Administrator\Downloads\procexp64.exe+a8288|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953918Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:43.235{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3390-6307-0900-000000007602}572C:\Windows\system32\winlogon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953917Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:43.235{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3390-6307-0800-000000007602}496C:\Windows\system32\csrss.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5d64|C:\Windows\System32\KERNELBASE.dll+25803|C:\Windows\System32\KERNEL32.DLL+169c0|C:\Users\Administrator\Downloads\procexp64.exe+a8288|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953916Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:43.235{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3390-6307-0700-000000007602}488C:\Windows\system32\wininit.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5d64|C:\Windows\System32\KERNELBASE.dll+25803|C:\Windows\System32\KERNEL32.DLL+169c0|C:\Users\Administrator\Downloads\procexp64.exe+a8288|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953915Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:43.235{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3390-6307-0500-000000007602}416C:\Windows\system32\csrss.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5d64|C:\Windows\System32\KERNELBASE.dll+25803|C:\Windows\System32\KERNEL32.DLL+169c0|C:\Users\Administrator\Downloads\procexp64.exe+a8288|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953914Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:43.235{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-338D-6307-0200-000000007602}320C:\Windows\System32\smss.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5d64|C:\Windows\System32\KERNELBASE.dll+25803|C:\Windows\System32\KERNEL32.DLL+169c0|C:\Users\Administrator\Downloads\procexp64.exe+a8288|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953913Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:43.235{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-338D-6307-0100-000000007602}4System0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5d64|C:\Windows\System32\KERNELBASE.dll+25803|C:\Windows\System32\KERNEL32.DLL+169c0|C:\Users\Administrator\Downloads\procexp64.exe+a8288|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x80000000000000001954204Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:42.751{D25361F1-3392-6307-0F00-000000007602}108C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse34.223.106.200ec2-34-223-106-200.us-west-2.compute.amazonaws.com57370-false10.0.1.14win-dc-ctus-attack-range-854.attackrange.local3389ms-wbt-server 23542300x80000000000000001954203Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:44.650{D25361F1-33B6-6307-7B00-000000007602}2184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BB6070B43551C91372D3460B929AB7DD,SHA256=C285932E8311EBED1A06F783C4E28B9528E5EA25BA67A14E9EF67F67561B7936,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001954202Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:44.363{D25361F1-35E9-6307-E200-000000007602}53164992C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-52AD-6307-E404-000000007602}7476C:\Windows\SYSTEM32\notepad.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000017A3C190) 13241300x8000000000000000663248Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-SetValue2022-08-25 10:59:44.782{F6DB49F2-338F-6307-0B00-000000007702}632C:\Windows\system32\lsass.exeHKLM\SAM\SAM\Domains\Account\Users\000001F4\FBinary Data 354300x8000000000000000663247Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-25 10:59:42.251{F6DB49F2-339B-6307-6200-000000007702}3336C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal51441-false10.0.1.12-8000- 23542300x8000000000000000663246Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-25 10:59:44.180{F6DB49F2-33A2-6307-6D00-000000007702}3760NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=07867427AC1935FC61775E7CB3221104,SHA256=D0AF87542DBCDFC2D4F87240ED15D1B8F3828D924F4034D852AC5A6369133B07,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001954201Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:44.361{D25361F1-35E9-6307-E200-000000007602}53164992C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-4AD7-6307-F503-000000007602}6996C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000017A3C190) 10341000x80000000000000001954200Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:44.358{D25361F1-35E9-6307-E200-000000007602}53164992C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-4AD1-6307-F403-000000007602}7488C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000017A3C190) 10341000x80000000000000001954199Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:44.356{D25361F1-35E9-6307-E200-000000007602}53164992C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-4AD0-6307-F303-000000007602}9620C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000017A3C190) 10341000x80000000000000001954198Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:44.354{D25361F1-35E9-6307-E200-000000007602}53164992C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-4AB4-6307-EB03-000000007602}6088C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000017A3C190) 10341000x80000000000000001954197Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:44.352{D25361F1-35E9-6307-E200-000000007602}53164992C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-4A8F-6307-EA03-000000007602}6404C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000017A3C190) 10341000x80000000000000001954196Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:44.349{D25361F1-35E9-6307-E200-000000007602}53164992C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-49F6-6307-CD03-000000007602}7868C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000017A3C190) 10341000x80000000000000001954195Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:44.346{D25361F1-35E9-6307-E200-000000007602}53164992C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-436A-6307-0703-000000007602}6260C:\Program Files\IDA Freeware 8.0\ida64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000017A3C190) 10341000x80000000000000001954194Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:44.344{D25361F1-35E9-6307-E200-000000007602}53164992C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-4210-6307-D702-000000007602}7048C:\Windows\System32\win32calc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000017A3C190) 10341000x80000000000000001954193Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:44.318{D25361F1-35E9-6307-E200-000000007602}53164992C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-37A5-6307-3901-000000007602}6588C:\Windows\ImmersiveControlPanel\SystemSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000017A3C190) 10341000x80000000000000001954192Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:44.312{D25361F1-35E9-6307-E200-000000007602}53164992C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-37A2-6307-3301-000000007602}5680C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000017A3C190) 10341000x80000000000000001954191Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:44.310{D25361F1-35E9-6307-E200-000000007602}53164992C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-37A2-6307-3201-000000007602}3700C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000017A3C190) 10341000x80000000000000001954190Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:44.308{D25361F1-35E9-6307-E200-000000007602}53164992C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-37A1-6307-3101-000000007602}4360C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000017A3C190) 10341000x80000000000000001954189Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:44.302{D25361F1-35E9-6307-E200-000000007602}53164992C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-37A1-6307-3001-000000007602}5144C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000017A3C190) 10341000x80000000000000001954188Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:44.284{D25361F1-35E9-6307-E200-000000007602}53164992C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-37A0-6307-2F01-000000007602}4596C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000017A3C190) 10341000x80000000000000001954187Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:44.281{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-52AD-6307-E404-000000007602}7476C:\Windows\SYSTEM32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954186Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:44.281{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-4AD7-6307-F503-000000007602}6996C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954185Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:44.281{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-4AD1-6307-F403-000000007602}7488C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954184Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:44.281{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-4AD0-6307-F303-000000007602}9620C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954183Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:44.280{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-4AB4-6307-EB03-000000007602}6088C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954182Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:44.280{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-4A8F-6307-EA03-000000007602}6404C:\Windows\system32\wbem\wmiprvse.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954181Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:44.280{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-49F6-6307-CD03-000000007602}7868C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954180Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:44.280{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-436A-6307-0703-000000007602}6260C:\Program Files\IDA Freeware 8.0\ida64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954179Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:44.280{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-4210-6307-D702-000000007602}7048C:\Windows\System32\win32calc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954178Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:44.279{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-37A5-6307-3901-000000007602}6588C:\Windows\ImmersiveControlPanel\SystemSettings.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954177Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:44.279{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-37A2-6307-3301-000000007602}5680C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954176Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:44.279{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-37A2-6307-3201-000000007602}3700C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954175Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:44.278{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-37A1-6307-3101-000000007602}4360C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954174Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:44.278{D25361F1-35E9-6307-E200-000000007602}53164992C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-361E-6307-FB00-000000007602}6112C:\Users\Administrator\Downloads\Procmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000017A3C190) 10341000x80000000000000001954173Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:44.278{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-37A1-6307-3001-000000007602}5144C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954172Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:44.278{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-37A0-6307-2F01-000000007602}4596C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954171Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:44.278{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-361E-6307-FB00-000000007602}6112C:\Users\Administrator\Downloads\Procmon64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954170Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:44.277{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-35FB-6307-F000-000000007602}4288C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954169Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:44.277{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-35FB-6307-EF00-000000007602}4276C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954168Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:44.277{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-35E9-6307-E200-000000007602}5316C:\Program Files\Aurora-Agent\aurora-agent.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954167Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:44.277{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-35E2-6307-E000-000000007602}4860C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954166Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:44.277{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-35E2-6307-DF00-000000007602}4184C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954165Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:44.277{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-35E0-6307-DE00-000000007602}5008C:\Windows\Explorer.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954164Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:44.276{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-35E0-6307-D600-000000007602}4472C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954163Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:44.276{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-35E0-6307-D300-000000007602}4392C:\Windows\System32\rdpclip.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954162Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:44.276{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-35DE-6307-D000-000000007602}3896C:\Windows\system32\dwm.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954161Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:44.275{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-35DD-6307-CE00-000000007602}764C:\Windows\system32\winlogon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954160Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:44.275{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-35DD-6307-CD00-000000007602}1324C:\Windows\system32\csrss.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5d64|C:\Windows\System32\KERNELBASE.dll+25803|C:\Windows\System32\KERNEL32.DLL+169c0|C:\Users\Administrator\Downloads\procexp64.exe+a8288|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954159Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:44.275{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-341E-6307-8900-000000007602}3136C:\Windows\System32\msdtc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954158Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:44.275{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33B6-6307-7B00-000000007602}2184C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954157Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:44.275{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33AF-6307-7100-000000007602}3892C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954156Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:44.275{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A5-6307-4500-000000007602}3548C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954155Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:44.275{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A5-6307-4100-000000007602}3460C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954154Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:44.274{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A4-6307-3A00-000000007602}3188C:\Windows\System32\vds.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954153Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:44.274{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A4-6307-3700-000000007602}3120C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954152Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:44.274{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A3-6307-3100-000000007602}2960C:\Windows\system32\wbem\unsecapp.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954151Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:44.274{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A3-6307-2F00-000000007602}2772C:\Windows\system32\DFSRs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954150Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:44.274{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A3-6307-2E00-000000007602}2764C:\Windows\system32\dfssvc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954149Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:44.274{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A3-6307-2D00-000000007602}2752C:\Windows\System32\ismserv.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954148Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:44.273{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A3-6307-2C00-000000007602}2604C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954147Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:44.273{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A3-6307-2B00-000000007602}2596C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954146Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:44.273{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A3-6307-2900-000000007602}2580C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954145Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:44.273{D25361F1-35E9-6307-E200-000000007602}53164992C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-3610-6307-F600-000000007602}5728C:\Users\Administrator\Downloads\procexp64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000017A3C190) 10341000x80000000000000001954144Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:44.272{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-52AD-6307-E404-000000007602}7476C:\Windows\SYSTEM32\notepad.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12170|C:\Windows\System32\advapi32.dll+117c5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Users\Administrator\Downloads\procexp64.exe+7915d|C:\Users\Administrator\Downloads\procexp64.exe+a926e|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954143Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:44.272{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-52AD-6307-E404-000000007602}7476C:\Windows\SYSTEM32\notepad.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12170|C:\Windows\System32\advapi32.dll+117c5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Users\Administrator\Downloads\procexp64.exe+7915d|C:\Users\Administrator\Downloads\procexp64.exe+a926e|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954142Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:44.272{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-4AD7-6307-F503-000000007602}6996C:\Program Files\Mozilla Firefox\firefox.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12170|C:\Windows\System32\advapi32.dll+117c5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Users\Administrator\Downloads\procexp64.exe+7915d|C:\Users\Administrator\Downloads\procexp64.exe+a926e|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954141Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:44.272{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-4AD7-6307-F503-000000007602}6996C:\Program Files\Mozilla Firefox\firefox.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12170|C:\Windows\System32\advapi32.dll+117c5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Users\Administrator\Downloads\procexp64.exe+7915d|C:\Users\Administrator\Downloads\procexp64.exe+a926e|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954140Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:44.272{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-4AD1-6307-F403-000000007602}7488C:\Program Files\Mozilla Firefox\firefox.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12170|C:\Windows\System32\advapi32.dll+117c5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Users\Administrator\Downloads\procexp64.exe+7915d|C:\Users\Administrator\Downloads\procexp64.exe+a926e|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954139Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:44.271{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-4AD1-6307-F403-000000007602}7488C:\Program Files\Mozilla Firefox\firefox.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12170|C:\Windows\System32\advapi32.dll+117c5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Users\Administrator\Downloads\procexp64.exe+7915d|C:\Users\Administrator\Downloads\procexp64.exe+a926e|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954138Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:44.271{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-4AD0-6307-F303-000000007602}9620C:\Program Files\Mozilla Firefox\firefox.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12170|C:\Windows\System32\advapi32.dll+117c5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Users\Administrator\Downloads\procexp64.exe+7915d|C:\Users\Administrator\Downloads\procexp64.exe+a926e|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954137Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:44.271{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-4AD0-6307-F303-000000007602}9620C:\Program Files\Mozilla Firefox\firefox.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12170|C:\Windows\System32\advapi32.dll+117c5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Users\Administrator\Downloads\procexp64.exe+7915d|C:\Users\Administrator\Downloads\procexp64.exe+a926e|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954136Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:44.271{D25361F1-35E9-6307-E200-000000007602}53164992C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-35FB-6307-F000-000000007602}4288C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000017A3C190) 10341000x80000000000000001954135Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:44.271{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-4AB4-6307-EB03-000000007602}6088C:\Program Files\Mozilla Firefox\firefox.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12170|C:\Windows\System32\advapi32.dll+117c5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Users\Administrator\Downloads\procexp64.exe+7915d|C:\Users\Administrator\Downloads\procexp64.exe+a926e|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954134Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:44.271{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-4AB4-6307-EB03-000000007602}6088C:\Program Files\Mozilla Firefox\firefox.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12170|C:\Windows\System32\advapi32.dll+117c5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Users\Administrator\Downloads\procexp64.exe+7915d|C:\Users\Administrator\Downloads\procexp64.exe+a926e|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954133Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:44.271{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-4A8F-6307-EA03-000000007602}6404C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12170|C:\Windows\System32\advapi32.dll+117c5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Users\Administrator\Downloads\procexp64.exe+7915d|C:\Users\Administrator\Downloads\procexp64.exe+a926e|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954132Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:44.271{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-4A8F-6307-EA03-000000007602}6404C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12170|C:\Windows\System32\advapi32.dll+117c5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Users\Administrator\Downloads\procexp64.exe+7915d|C:\Users\Administrator\Downloads\procexp64.exe+a926e|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954131Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:44.271{D25361F1-35E9-6307-E200-000000007602}53164992C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-35FB-6307-EF00-000000007602}4276C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000017A3C190) 10341000x80000000000000001954130Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:44.271{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-49F6-6307-CD03-000000007602}7868C:\Program Files\Mozilla Firefox\firefox.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12170|C:\Windows\System32\advapi32.dll+117c5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Users\Administrator\Downloads\procexp64.exe+7915d|C:\Users\Administrator\Downloads\procexp64.exe+a926e|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954129Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:44.271{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-49F6-6307-CD03-000000007602}7868C:\Program Files\Mozilla Firefox\firefox.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12170|C:\Windows\System32\advapi32.dll+117c5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Users\Administrator\Downloads\procexp64.exe+7915d|C:\Users\Administrator\Downloads\procexp64.exe+a926e|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954128Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:44.271{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-436A-6307-0703-000000007602}6260C:\Program Files\IDA Freeware 8.0\ida64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12170|C:\Windows\System32\advapi32.dll+117c5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Users\Administrator\Downloads\procexp64.exe+7915d|C:\Users\Administrator\Downloads\procexp64.exe+a926e|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954127Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:44.271{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-436A-6307-0703-000000007602}6260C:\Program Files\IDA Freeware 8.0\ida64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12170|C:\Windows\System32\advapi32.dll+117c5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Users\Administrator\Downloads\procexp64.exe+7915d|C:\Users\Administrator\Downloads\procexp64.exe+a926e|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954126Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:44.270{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-4210-6307-D702-000000007602}7048C:\Windows\System32\win32calc.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12170|C:\Windows\System32\advapi32.dll+117c5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Users\Administrator\Downloads\procexp64.exe+7915d|C:\Users\Administrator\Downloads\procexp64.exe+a926e|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954125Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:44.270{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-4210-6307-D702-000000007602}7048C:\Windows\System32\win32calc.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12170|C:\Windows\System32\advapi32.dll+117c5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Users\Administrator\Downloads\procexp64.exe+7915d|C:\Users\Administrator\Downloads\procexp64.exe+a926e|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954124Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:44.270{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-37A5-6307-3901-000000007602}6588C:\Windows\ImmersiveControlPanel\SystemSettings.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12170|C:\Windows\System32\advapi32.dll+117c5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Users\Administrator\Downloads\procexp64.exe+7915d|C:\Users\Administrator\Downloads\procexp64.exe+a926e|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954123Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:44.270{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-37A5-6307-3901-000000007602}6588C:\Windows\ImmersiveControlPanel\SystemSettings.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12170|C:\Windows\System32\advapi32.dll+117c5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Users\Administrator\Downloads\procexp64.exe+7915d|C:\Users\Administrator\Downloads\procexp64.exe+a926e|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954122Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:44.269{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-37A2-6307-3301-000000007602}5680C:\Program Files\Mozilla Firefox\firefox.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12170|C:\Windows\System32\advapi32.dll+117c5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Users\Administrator\Downloads\procexp64.exe+7915d|C:\Users\Administrator\Downloads\procexp64.exe+a926e|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954121Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:44.269{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-37A2-6307-3301-000000007602}5680C:\Program Files\Mozilla Firefox\firefox.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12170|C:\Windows\System32\advapi32.dll+117c5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Users\Administrator\Downloads\procexp64.exe+7915d|C:\Users\Administrator\Downloads\procexp64.exe+a926e|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954120Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:44.269{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-37A2-6307-3201-000000007602}3700C:\Program Files\Mozilla Firefox\firefox.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12170|C:\Windows\System32\advapi32.dll+117c5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Users\Administrator\Downloads\procexp64.exe+7915d|C:\Users\Administrator\Downloads\procexp64.exe+a926e|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954119Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:44.269{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-37A2-6307-3201-000000007602}3700C:\Program Files\Mozilla Firefox\firefox.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12170|C:\Windows\System32\advapi32.dll+117c5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Users\Administrator\Downloads\procexp64.exe+7915d|C:\Users\Administrator\Downloads\procexp64.exe+a926e|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954118Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:44.269{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-37A1-6307-3101-000000007602}4360C:\Program Files\Mozilla Firefox\firefox.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12170|C:\Windows\System32\advapi32.dll+117c5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Users\Administrator\Downloads\procexp64.exe+7915d|C:\Users\Administrator\Downloads\procexp64.exe+a926e|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954117Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:44.269{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-37A1-6307-3101-000000007602}4360C:\Program Files\Mozilla Firefox\firefox.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12170|C:\Windows\System32\advapi32.dll+117c5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Users\Administrator\Downloads\procexp64.exe+7915d|C:\Users\Administrator\Downloads\procexp64.exe+a926e|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954116Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:44.269{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-37A1-6307-3001-000000007602}5144C:\Program Files\Mozilla Firefox\firefox.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12170|C:\Windows\System32\advapi32.dll+117c5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Users\Administrator\Downloads\procexp64.exe+7915d|C:\Users\Administrator\Downloads\procexp64.exe+a926e|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954115Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:44.269{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-37A1-6307-3001-000000007602}5144C:\Program Files\Mozilla Firefox\firefox.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12170|C:\Windows\System32\advapi32.dll+117c5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Users\Administrator\Downloads\procexp64.exe+7915d|C:\Users\Administrator\Downloads\procexp64.exe+a926e|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954114Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:44.269{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-37A0-6307-2F01-000000007602}4596C:\Program Files\Mozilla Firefox\firefox.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12170|C:\Windows\System32\advapi32.dll+117c5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Users\Administrator\Downloads\procexp64.exe+7915d|C:\Users\Administrator\Downloads\procexp64.exe+a926e|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954113Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:44.269{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-37A0-6307-2F01-000000007602}4596C:\Program Files\Mozilla Firefox\firefox.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12170|C:\Windows\System32\advapi32.dll+117c5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Users\Administrator\Downloads\procexp64.exe+7915d|C:\Users\Administrator\Downloads\procexp64.exe+a926e|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954112Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:44.269{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-361E-6307-FB00-000000007602}6112C:\Users\Administrator\Downloads\Procmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12170|C:\Windows\System32\advapi32.dll+117c5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Users\Administrator\Downloads\procexp64.exe+7915d|C:\Users\Administrator\Downloads\procexp64.exe+a926e|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954111Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:44.268{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-361E-6307-FB00-000000007602}6112C:\Users\Administrator\Downloads\Procmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12170|C:\Windows\System32\advapi32.dll+117c5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Users\Administrator\Downloads\procexp64.exe+7915d|C:\Users\Administrator\Downloads\procexp64.exe+a926e|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954110Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:44.268{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-35FB-6307-F000-000000007602}4288C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12170|C:\Windows\System32\advapi32.dll+117c5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Users\Administrator\Downloads\procexp64.exe+7915d|C:\Users\Administrator\Downloads\procexp64.exe+a926e|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954109Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:44.268{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-35FB-6307-F000-000000007602}4288C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12170|C:\Windows\System32\advapi32.dll+117c5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Users\Administrator\Downloads\procexp64.exe+7915d|C:\Users\Administrator\Downloads\procexp64.exe+a926e|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954108Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:44.268{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-35FB-6307-EF00-000000007602}4276C:\Windows\system32\cmd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12170|C:\Windows\System32\advapi32.dll+117c5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Users\Administrator\Downloads\procexp64.exe+7915d|C:\Users\Administrator\Downloads\procexp64.exe+a926e|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954107Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:44.268{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-35FB-6307-EF00-000000007602}4276C:\Windows\system32\cmd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12170|C:\Windows\System32\advapi32.dll+117c5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Users\Administrator\Downloads\procexp64.exe+7915d|C:\Users\Administrator\Downloads\procexp64.exe+a926e|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954106Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:44.268{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-35E9-6307-E200-000000007602}5316C:\Program Files\Aurora-Agent\aurora-agent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12170|C:\Windows\System32\advapi32.dll+117c5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Users\Administrator\Downloads\procexp64.exe+7915d|C:\Users\Administrator\Downloads\procexp64.exe+a926e|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954105Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:44.268{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-35E9-6307-E200-000000007602}5316C:\Program Files\Aurora-Agent\aurora-agent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12170|C:\Windows\System32\advapi32.dll+117c5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Users\Administrator\Downloads\procexp64.exe+7915d|C:\Users\Administrator\Downloads\procexp64.exe+a926e|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954104Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:44.268{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-35E2-6307-E000-000000007602}4860C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12170|C:\Windows\System32\advapi32.dll+117c5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Users\Administrator\Downloads\procexp64.exe+7915d|C:\Users\Administrator\Downloads\procexp64.exe+a926e|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954103Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:44.268{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-35E2-6307-E000-000000007602}4860C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12170|C:\Windows\System32\advapi32.dll+117c5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Users\Administrator\Downloads\procexp64.exe+7915d|C:\Users\Administrator\Downloads\procexp64.exe+a926e|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954102Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:44.268{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-35E2-6307-DF00-000000007602}4184C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12170|C:\Windows\System32\advapi32.dll+117c5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Users\Administrator\Downloads\procexp64.exe+7915d|C:\Users\Administrator\Downloads\procexp64.exe+a926e|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954101Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:44.268{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-35E2-6307-DF00-000000007602}4184C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12170|C:\Windows\System32\advapi32.dll+117c5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Users\Administrator\Downloads\procexp64.exe+7915d|C:\Users\Administrator\Downloads\procexp64.exe+a926e|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954100Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:44.268{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-35E0-6307-DE00-000000007602}5008C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12170|C:\Windows\System32\advapi32.dll+117c5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Users\Administrator\Downloads\procexp64.exe+7915d|C:\Users\Administrator\Downloads\procexp64.exe+a926e|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954099Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:44.267{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-35E0-6307-DE00-000000007602}5008C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12170|C:\Windows\System32\advapi32.dll+117c5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Users\Administrator\Downloads\procexp64.exe+7915d|C:\Users\Administrator\Downloads\procexp64.exe+a926e|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954098Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:44.267{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-35E0-6307-D600-000000007602}4472C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12170|C:\Windows\System32\advapi32.dll+117c5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Users\Administrator\Downloads\procexp64.exe+7915d|C:\Users\Administrator\Downloads\procexp64.exe+a926e|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954097Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:44.267{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-35E0-6307-D600-000000007602}4472C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12170|C:\Windows\System32\advapi32.dll+117c5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Users\Administrator\Downloads\procexp64.exe+7915d|C:\Users\Administrator\Downloads\procexp64.exe+a926e|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954096Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:44.267{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-35E0-6307-D300-000000007602}4392C:\Windows\System32\rdpclip.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12170|C:\Windows\System32\advapi32.dll+117c5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Users\Administrator\Downloads\procexp64.exe+7915d|C:\Users\Administrator\Downloads\procexp64.exe+a926e|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954095Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:44.267{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-35E0-6307-D300-000000007602}4392C:\Windows\System32\rdpclip.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12170|C:\Windows\System32\advapi32.dll+117c5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Users\Administrator\Downloads\procexp64.exe+7915d|C:\Users\Administrator\Downloads\procexp64.exe+a926e|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954094Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:44.267{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-35DE-6307-D000-000000007602}3896C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12170|C:\Windows\System32\advapi32.dll+117c5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Users\Administrator\Downloads\procexp64.exe+7915d|C:\Users\Administrator\Downloads\procexp64.exe+a926e|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954093Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:44.266{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-35DE-6307-D000-000000007602}3896C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12170|C:\Windows\System32\advapi32.dll+117c5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Users\Administrator\Downloads\procexp64.exe+7915d|C:\Users\Administrator\Downloads\procexp64.exe+a926e|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954092Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:44.266{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-35DD-6307-CE00-000000007602}764C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12170|C:\Windows\System32\advapi32.dll+117c5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Users\Administrator\Downloads\procexp64.exe+7915d|C:\Users\Administrator\Downloads\procexp64.exe+a926e|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954091Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:44.266{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-35DD-6307-CE00-000000007602}764C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12170|C:\Windows\System32\advapi32.dll+117c5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Users\Administrator\Downloads\procexp64.exe+7915d|C:\Users\Administrator\Downloads\procexp64.exe+a926e|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954090Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:44.266{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-341E-6307-8900-000000007602}3136C:\Windows\System32\msdtc.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12170|C:\Windows\System32\advapi32.dll+117c5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Users\Administrator\Downloads\procexp64.exe+7915d|C:\Users\Administrator\Downloads\procexp64.exe+a926e|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954089Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:44.266{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-341E-6307-8900-000000007602}3136C:\Windows\System32\msdtc.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12170|C:\Windows\System32\advapi32.dll+117c5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Users\Administrator\Downloads\procexp64.exe+7915d|C:\Users\Administrator\Downloads\procexp64.exe+a926e|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954088Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:44.266{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33B6-6307-7B00-000000007602}2184C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12170|C:\Windows\System32\advapi32.dll+117c5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Users\Administrator\Downloads\procexp64.exe+7915d|C:\Users\Administrator\Downloads\procexp64.exe+a926e|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954087Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:44.266{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33B6-6307-7B00-000000007602}2184C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12170|C:\Windows\System32\advapi32.dll+117c5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Users\Administrator\Downloads\procexp64.exe+7915d|C:\Users\Administrator\Downloads\procexp64.exe+a926e|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954086Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:44.266{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33AF-6307-7100-000000007602}3892C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12170|C:\Windows\System32\advapi32.dll+117c5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Users\Administrator\Downloads\procexp64.exe+7915d|C:\Users\Administrator\Downloads\procexp64.exe+a926e|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954085Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:44.265{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33AF-6307-7100-000000007602}3892C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12170|C:\Windows\System32\advapi32.dll+117c5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Users\Administrator\Downloads\procexp64.exe+7915d|C:\Users\Administrator\Downloads\procexp64.exe+a926e|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954084Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:44.265{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A5-6307-4500-000000007602}3548C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12170|C:\Windows\System32\advapi32.dll+117c5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Users\Administrator\Downloads\procexp64.exe+7915d|C:\Users\Administrator\Downloads\procexp64.exe+a926e|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954083Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:44.265{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A5-6307-4500-000000007602}3548C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12170|C:\Windows\System32\advapi32.dll+117c5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Users\Administrator\Downloads\procexp64.exe+7915d|C:\Users\Administrator\Downloads\procexp64.exe+a926e|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954082Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:44.265{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A5-6307-4100-000000007602}3460C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12170|C:\Windows\System32\advapi32.dll+117c5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Users\Administrator\Downloads\procexp64.exe+7915d|C:\Users\Administrator\Downloads\procexp64.exe+a926e|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954081Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:44.265{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A5-6307-4100-000000007602}3460C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12170|C:\Windows\System32\advapi32.dll+117c5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Users\Administrator\Downloads\procexp64.exe+7915d|C:\Users\Administrator\Downloads\procexp64.exe+a926e|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954080Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:44.265{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A4-6307-3A00-000000007602}3188C:\Windows\System32\vds.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12170|C:\Windows\System32\advapi32.dll+117c5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Users\Administrator\Downloads\procexp64.exe+7915d|C:\Users\Administrator\Downloads\procexp64.exe+a926e|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954079Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:44.265{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A4-6307-3A00-000000007602}3188C:\Windows\System32\vds.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12170|C:\Windows\System32\advapi32.dll+117c5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Users\Administrator\Downloads\procexp64.exe+7915d|C:\Users\Administrator\Downloads\procexp64.exe+a926e|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954078Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:44.265{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A4-6307-3700-000000007602}3120C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12170|C:\Windows\System32\advapi32.dll+117c5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Users\Administrator\Downloads\procexp64.exe+7915d|C:\Users\Administrator\Downloads\procexp64.exe+a926e|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954077Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:44.265{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A4-6307-3700-000000007602}3120C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12170|C:\Windows\System32\advapi32.dll+117c5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Users\Administrator\Downloads\procexp64.exe+7915d|C:\Users\Administrator\Downloads\procexp64.exe+a926e|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954076Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:44.265{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A3-6307-3100-000000007602}2960C:\Windows\system32\wbem\unsecapp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12170|C:\Windows\System32\advapi32.dll+117c5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Users\Administrator\Downloads\procexp64.exe+7915d|C:\Users\Administrator\Downloads\procexp64.exe+a926e|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954075Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:44.265{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A3-6307-3100-000000007602}2960C:\Windows\system32\wbem\unsecapp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12170|C:\Windows\System32\advapi32.dll+117c5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Users\Administrator\Downloads\procexp64.exe+7915d|C:\Users\Administrator\Downloads\procexp64.exe+a926e|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954074Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:44.264{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A3-6307-2F00-000000007602}2772C:\Windows\system32\DFSRs.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12170|C:\Windows\System32\advapi32.dll+117c5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Users\Administrator\Downloads\procexp64.exe+7915d|C:\Users\Administrator\Downloads\procexp64.exe+a926e|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954073Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:44.264{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A3-6307-2F00-000000007602}2772C:\Windows\system32\DFSRs.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12170|C:\Windows\System32\advapi32.dll+117c5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Users\Administrator\Downloads\procexp64.exe+7915d|C:\Users\Administrator\Downloads\procexp64.exe+a926e|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954072Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:44.264{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A3-6307-2E00-000000007602}2764C:\Windows\system32\dfssvc.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12170|C:\Windows\System32\advapi32.dll+117c5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Users\Administrator\Downloads\procexp64.exe+7915d|C:\Users\Administrator\Downloads\procexp64.exe+a926e|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954071Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:44.264{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A3-6307-2E00-000000007602}2764C:\Windows\system32\dfssvc.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12170|C:\Windows\System32\advapi32.dll+117c5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Users\Administrator\Downloads\procexp64.exe+7915d|C:\Users\Administrator\Downloads\procexp64.exe+a926e|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954070Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:44.264{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A3-6307-2D00-000000007602}2752C:\Windows\System32\ismserv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12170|C:\Windows\System32\advapi32.dll+117c5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Users\Administrator\Downloads\procexp64.exe+7915d|C:\Users\Administrator\Downloads\procexp64.exe+a926e|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954069Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:44.264{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A3-6307-2D00-000000007602}2752C:\Windows\System32\ismserv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12170|C:\Windows\System32\advapi32.dll+117c5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Users\Administrator\Downloads\procexp64.exe+7915d|C:\Users\Administrator\Downloads\procexp64.exe+a926e|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954068Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:44.264{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A3-6307-2C00-000000007602}2604C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12170|C:\Windows\System32\advapi32.dll+117c5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Users\Administrator\Downloads\procexp64.exe+7915d|C:\Users\Administrator\Downloads\procexp64.exe+a926e|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954067Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:44.264{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A3-6307-2C00-000000007602}2604C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12170|C:\Windows\System32\advapi32.dll+117c5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Users\Administrator\Downloads\procexp64.exe+7915d|C:\Users\Administrator\Downloads\procexp64.exe+a926e|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954066Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:44.264{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A3-6307-2B00-000000007602}2596C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12170|C:\Windows\System32\advapi32.dll+117c5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Users\Administrator\Downloads\procexp64.exe+7915d|C:\Users\Administrator\Downloads\procexp64.exe+a926e|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954065Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:44.264{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A3-6307-2B00-000000007602}2596C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12170|C:\Windows\System32\advapi32.dll+117c5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Users\Administrator\Downloads\procexp64.exe+7915d|C:\Users\Administrator\Downloads\procexp64.exe+a926e|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954064Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:44.264{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A3-6307-2900-000000007602}2580C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12170|C:\Windows\System32\advapi32.dll+117c5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Users\Administrator\Downloads\procexp64.exe+7915d|C:\Users\Administrator\Downloads\procexp64.exe+a926e|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954063Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:44.264{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A3-6307-2900-000000007602}2580C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12170|C:\Windows\System32\advapi32.dll+117c5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Users\Administrator\Downloads\procexp64.exe+7915d|C:\Users\Administrator\Downloads\procexp64.exe+a926e|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954062Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:44.263{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A3-6307-2800-000000007602}2568C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12170|C:\Windows\System32\advapi32.dll+117c5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Users\Administrator\Downloads\procexp64.exe+7915d|C:\Users\Administrator\Downloads\procexp64.exe+a926e|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954061Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:44.263{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A3-6307-2800-000000007602}2568C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12170|C:\Windows\System32\advapi32.dll+117c5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Users\Administrator\Downloads\procexp64.exe+7915d|C:\Users\Administrator\Downloads\procexp64.exe+a926e|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954060Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:44.263{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A3-6307-2700-000000007602}2560C:\Windows\system32\dns.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12170|C:\Windows\System32\advapi32.dll+117c5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Users\Administrator\Downloads\procexp64.exe+7915d|C:\Users\Administrator\Downloads\procexp64.exe+a926e|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954059Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:44.263{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A3-6307-2700-000000007602}2560C:\Windows\system32\dns.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12170|C:\Windows\System32\advapi32.dll+117c5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Users\Administrator\Downloads\procexp64.exe+7915d|C:\Users\Administrator\Downloads\procexp64.exe+a926e|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954058Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:44.263{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A3-6307-2600-000000007602}2552C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12170|C:\Windows\System32\advapi32.dll+117c5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Users\Administrator\Downloads\procexp64.exe+7915d|C:\Users\Administrator\Downloads\procexp64.exe+a926e|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954057Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:44.263{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A3-6307-2600-000000007602}2552C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12170|C:\Windows\System32\advapi32.dll+117c5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Users\Administrator\Downloads\procexp64.exe+7915d|C:\Users\Administrator\Downloads\procexp64.exe+a926e|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954056Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:44.263{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A3-6307-2500-000000007602}2476C:\Windows\System32\spoolsv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12170|C:\Windows\System32\advapi32.dll+117c5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Users\Administrator\Downloads\procexp64.exe+7915d|C:\Users\Administrator\Downloads\procexp64.exe+a926e|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954055Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:44.263{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A3-6307-2500-000000007602}2476C:\Windows\System32\spoolsv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12170|C:\Windows\System32\advapi32.dll+117c5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Users\Administrator\Downloads\procexp64.exe+7915d|C:\Users\Administrator\Downloads\procexp64.exe+a926e|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954054Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:44.263{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-339C-6307-2300-000000007602}2332C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12170|C:\Windows\System32\advapi32.dll+117c5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Users\Administrator\Downloads\procexp64.exe+7915d|C:\Users\Administrator\Downloads\procexp64.exe+a926e|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954053Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:44.263{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-339C-6307-2300-000000007602}2332C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12170|C:\Windows\System32\advapi32.dll+117c5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Users\Administrator\Downloads\procexp64.exe+7915d|C:\Users\Administrator\Downloads\procexp64.exe+a926e|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954052Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:44.263{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3393-6307-1D00-000000007602}2088C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12170|C:\Windows\System32\advapi32.dll+117c5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Users\Administrator\Downloads\procexp64.exe+7915d|C:\Users\Administrator\Downloads\procexp64.exe+a926e|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954051Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:44.262{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3393-6307-1D00-000000007602}2088C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12170|C:\Windows\System32\advapi32.dll+117c5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Users\Administrator\Downloads\procexp64.exe+7915d|C:\Users\Administrator\Downloads\procexp64.exe+a926e|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954050Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:44.262{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3393-6307-1700-000000007602}1396C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12170|C:\Windows\System32\advapi32.dll+117c5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Users\Administrator\Downloads\procexp64.exe+7915d|C:\Users\Administrator\Downloads\procexp64.exe+a926e|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954049Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:44.262{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3393-6307-1700-000000007602}1396C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12170|C:\Windows\System32\advapi32.dll+117c5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Users\Administrator\Downloads\procexp64.exe+7915d|C:\Users\Administrator\Downloads\procexp64.exe+a926e|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954048Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:44.262{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3393-6307-1600-000000007602}1308C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12170|C:\Windows\System32\advapi32.dll+117c5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Users\Administrator\Downloads\procexp64.exe+7915d|C:\Users\Administrator\Downloads\procexp64.exe+a926e|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954047Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:44.262{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3393-6307-1600-000000007602}1308C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12170|C:\Windows\System32\advapi32.dll+117c5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Users\Administrator\Downloads\procexp64.exe+7915d|C:\Users\Administrator\Downloads\procexp64.exe+a926e|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954046Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:44.262{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3392-6307-1500-000000007602}1256C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12170|C:\Windows\System32\advapi32.dll+117c5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Users\Administrator\Downloads\procexp64.exe+7915d|C:\Users\Administrator\Downloads\procexp64.exe+a926e|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954045Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:44.262{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3392-6307-1500-000000007602}1256C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12170|C:\Windows\System32\advapi32.dll+117c5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Users\Administrator\Downloads\procexp64.exe+7915d|C:\Users\Administrator\Downloads\procexp64.exe+a926e|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954044Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:44.262{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3392-6307-1400-000000007602}1084C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12170|C:\Windows\System32\advapi32.dll+117c5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Users\Administrator\Downloads\procexp64.exe+7915d|C:\Users\Administrator\Downloads\procexp64.exe+a926e|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954043Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:44.262{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3392-6307-1400-000000007602}1084C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12170|C:\Windows\System32\advapi32.dll+117c5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Users\Administrator\Downloads\procexp64.exe+7915d|C:\Users\Administrator\Downloads\procexp64.exe+a926e|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954042Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:44.262{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3392-6307-1300-000000007602}928C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12170|C:\Windows\System32\advapi32.dll+117c5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Users\Administrator\Downloads\procexp64.exe+7915d|C:\Users\Administrator\Downloads\procexp64.exe+a926e|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954041Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:44.262{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3392-6307-1300-000000007602}928C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12170|C:\Windows\System32\advapi32.dll+117c5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Users\Administrator\Downloads\procexp64.exe+7915d|C:\Users\Administrator\Downloads\procexp64.exe+a926e|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954040Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:44.261{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3392-6307-1200-000000007602}484C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12170|C:\Windows\System32\advapi32.dll+117c5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Users\Administrator\Downloads\procexp64.exe+7915d|C:\Users\Administrator\Downloads\procexp64.exe+a926e|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954039Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:44.261{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3392-6307-1200-000000007602}484C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12170|C:\Windows\System32\advapi32.dll+117c5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Users\Administrator\Downloads\procexp64.exe+7915d|C:\Users\Administrator\Downloads\procexp64.exe+a926e|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954038Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:44.261{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3392-6307-1100-000000007602}420C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12170|C:\Windows\System32\advapi32.dll+117c5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Users\Administrator\Downloads\procexp64.exe+7915d|C:\Users\Administrator\Downloads\procexp64.exe+a926e|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954037Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:44.261{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3392-6307-1100-000000007602}420C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12170|C:\Windows\System32\advapi32.dll+117c5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Users\Administrator\Downloads\procexp64.exe+7915d|C:\Users\Administrator\Downloads\procexp64.exe+a926e|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954036Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:44.261{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3392-6307-1000-000000007602}440C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12170|C:\Windows\System32\advapi32.dll+117c5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Users\Administrator\Downloads\procexp64.exe+7915d|C:\Users\Administrator\Downloads\procexp64.exe+a926e|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954035Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:44.261{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3392-6307-1000-000000007602}440C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12170|C:\Windows\System32\advapi32.dll+117c5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Users\Administrator\Downloads\procexp64.exe+7915d|C:\Users\Administrator\Downloads\procexp64.exe+a926e|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954034Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:44.261{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3392-6307-0F00-000000007602}108C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12170|C:\Windows\System32\advapi32.dll+117c5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Users\Administrator\Downloads\procexp64.exe+7915d|C:\Users\Administrator\Downloads\procexp64.exe+a926e|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954033Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:44.261{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3392-6307-0F00-000000007602}108C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12170|C:\Windows\System32\advapi32.dll+117c5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Users\Administrator\Downloads\procexp64.exe+7915d|C:\Users\Administrator\Downloads\procexp64.exe+a926e|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954032Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:44.261{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3392-6307-0E00-000000007602}996C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12170|C:\Windows\System32\advapi32.dll+117c5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Users\Administrator\Downloads\procexp64.exe+7915d|C:\Users\Administrator\Downloads\procexp64.exe+a926e|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954031Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:44.261{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3392-6307-0E00-000000007602}996C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12170|C:\Windows\System32\advapi32.dll+117c5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Users\Administrator\Downloads\procexp64.exe+7915d|C:\Users\Administrator\Downloads\procexp64.exe+a926e|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954030Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:44.261{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3392-6307-0D00-000000007602}892C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12170|C:\Windows\System32\advapi32.dll+117c5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Users\Administrator\Downloads\procexp64.exe+7915d|C:\Users\Administrator\Downloads\procexp64.exe+a926e|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954029Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:44.261{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3392-6307-0D00-000000007602}892C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12170|C:\Windows\System32\advapi32.dll+117c5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Users\Administrator\Downloads\procexp64.exe+7915d|C:\Users\Administrator\Downloads\procexp64.exe+a926e|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954028Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:44.260{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3392-6307-0C00-000000007602}836C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12170|C:\Windows\System32\advapi32.dll+117c5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Users\Administrator\Downloads\procexp64.exe+7915d|C:\Users\Administrator\Downloads\procexp64.exe+a926e|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954027Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:44.260{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3392-6307-0C00-000000007602}836C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12170|C:\Windows\System32\advapi32.dll+117c5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Users\Administrator\Downloads\procexp64.exe+7915d|C:\Users\Administrator\Downloads\procexp64.exe+a926e|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954026Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:44.260{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3390-6307-0B00-000000007602}632C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12170|C:\Windows\System32\advapi32.dll+117c5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Users\Administrator\Downloads\procexp64.exe+7915d|C:\Users\Administrator\Downloads\procexp64.exe+a926e|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954025Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:44.260{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3390-6307-0B00-000000007602}632C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12170|C:\Windows\System32\advapi32.dll+117c5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Users\Administrator\Downloads\procexp64.exe+7915d|C:\Users\Administrator\Downloads\procexp64.exe+a926e|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954024Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:44.260{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3390-6307-0900-000000007602}572C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12170|C:\Windows\System32\advapi32.dll+117c5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Users\Administrator\Downloads\procexp64.exe+7915d|C:\Users\Administrator\Downloads\procexp64.exe+a926e|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954023Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:44.259{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3390-6307-0900-000000007602}572C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12170|C:\Windows\System32\advapi32.dll+117c5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Users\Administrator\Downloads\procexp64.exe+7915d|C:\Users\Administrator\Downloads\procexp64.exe+a926e|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954022Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:44.259{D25361F1-35E9-6307-E200-000000007602}53164992C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-35E2-6307-E000-000000007602}4860C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000017A3C190) 10341000x80000000000000001954021Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:44.256{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A3-6307-2800-000000007602}2568C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954020Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:44.256{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A3-6307-2700-000000007602}2560C:\Windows\system32\dns.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954019Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:44.256{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A3-6307-2600-000000007602}2552C:\Windows\sysmon64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954018Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:44.256{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A3-6307-2500-000000007602}2476C:\Windows\System32\spoolsv.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954017Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:44.256{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-339C-6307-2300-000000007602}2332C:\Windows\System32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954016Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:44.256{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3393-6307-1D00-000000007602}2088C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954015Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:44.256{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3393-6307-1700-000000007602}1396C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954014Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:44.256{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3393-6307-1600-000000007602}1308C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954013Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:44.255{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3392-6307-1500-000000007602}1256C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954012Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:44.255{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3392-6307-1400-000000007602}1084C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954011Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:44.255{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3392-6307-1300-000000007602}928C:\Windows\system32\dwm.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954010Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:44.255{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3392-6307-1200-000000007602}484C:\Windows\System32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954009Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:44.255{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3392-6307-1100-000000007602}420C:\Windows\System32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954008Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:44.255{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3392-6307-1000-000000007602}440C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954007Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:44.255{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3392-6307-0F00-000000007602}108C:\Windows\System32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954006Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:44.254{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3392-6307-0E00-000000007602}996C:\Windows\system32\LogonUI.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954005Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:44.254{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3392-6307-0D00-000000007602}892C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954004Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:44.254{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3392-6307-0C00-000000007602}836C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954003Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:44.254{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3390-6307-0B00-000000007602}632C:\Windows\system32\lsass.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954002Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:44.254{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3390-6307-0A00-000000007602}624C:\Windows\system32\services.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5d64|C:\Windows\System32\KERNELBASE.dll+25803|C:\Windows\System32\KERNEL32.DLL+169c0|C:\Users\Administrator\Downloads\procexp64.exe+a8288|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954001Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:44.253{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3390-6307-0900-000000007602}572C:\Windows\system32\winlogon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954000Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:44.253{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3390-6307-0800-000000007602}496C:\Windows\system32\csrss.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5d64|C:\Windows\System32\KERNELBASE.dll+25803|C:\Windows\System32\KERNEL32.DLL+169c0|C:\Users\Administrator\Downloads\procexp64.exe+a8288|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953999Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:44.253{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3390-6307-0700-000000007602}488C:\Windows\system32\wininit.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5d64|C:\Windows\System32\KERNELBASE.dll+25803|C:\Windows\System32\KERNEL32.DLL+169c0|C:\Users\Administrator\Downloads\procexp64.exe+a8288|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953998Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:44.253{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3390-6307-0500-000000007602}416C:\Windows\system32\csrss.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5d64|C:\Windows\System32\KERNELBASE.dll+25803|C:\Windows\System32\KERNEL32.DLL+169c0|C:\Users\Administrator\Downloads\procexp64.exe+a8288|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953997Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:44.253{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-338D-6307-0200-000000007602}320C:\Windows\System32\smss.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5d64|C:\Windows\System32\KERNELBASE.dll+25803|C:\Windows\System32\KERNEL32.DLL+169c0|C:\Users\Administrator\Downloads\procexp64.exe+a8288|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953996Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:44.252{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-338D-6307-0100-000000007602}4System0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5d64|C:\Windows\System32\KERNELBASE.dll+25803|C:\Windows\System32\KERNEL32.DLL+169c0|C:\Users\Administrator\Downloads\procexp64.exe+a8288|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953995Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:44.248{D25361F1-35E9-6307-E200-000000007602}53164992C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-35E2-6307-DF00-000000007602}4184C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000017A3C190) 10341000x80000000000000001953994Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:44.226{D25361F1-35E9-6307-E200-000000007602}53164992C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-35E0-6307-DE00-000000007602}5008C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000017A3C190) 10341000x80000000000000001953993Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:44.221{D25361F1-35E9-6307-E200-000000007602}53164992C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-35E0-6307-D600-000000007602}4472C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000017A3C190) 10341000x80000000000000001953992Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:44.214{D25361F1-35E9-6307-E200-000000007602}53164992C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-35E0-6307-D300-000000007602}4392C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000017A3C190) 10341000x80000000000000001953991Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:44.210{D25361F1-35E9-6307-E200-000000007602}53164992C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-35DE-6307-D000-000000007602}3896C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000017A3C190) 10341000x80000000000000001953990Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:44.208{D25361F1-35E9-6307-E200-000000007602}53164992C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-35DD-6307-CE00-000000007602}764C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000017A3C190) 10341000x80000000000000001953989Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:44.206{D25361F1-35E9-6307-E200-000000007602}53164992C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-341E-6307-8900-000000007602}3136C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000017A3C190) 10341000x80000000000000001953988Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:44.203{D25361F1-35E9-6307-E200-000000007602}53164992C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-33B6-6307-7B00-000000007602}2184C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000017A3C190) 10341000x80000000000000001953987Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:44.201{D25361F1-35E9-6307-E200-000000007602}53164992C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-33AF-6307-7100-000000007602}3892C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000017A3C190) 10341000x80000000000000001953986Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:44.200{D25361F1-35E9-6307-E200-000000007602}53164992C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-33A5-6307-4500-000000007602}3548C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000017A3C190) 10341000x80000000000000001953985Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:44.198{D25361F1-35E9-6307-E200-000000007602}53164992C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-33A5-6307-4100-000000007602}3460C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000017A3C190) 23542300x8000000000000000663250Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-25 10:59:45.818{F6DB49F2-33A2-6307-6D00-000000007702}3760NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C5836C036EB371543F1C0948AD2E5F2B,SHA256=9CA4173F898FB932ECA725305462AD2A76E9928352E49D751E71D6AEE96F01AA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000663249Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-25 10:59:45.266{F6DB49F2-33A2-6307-6D00-000000007702}3760NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3892B4B8132A617B221E1BEEB118B72F,SHA256=C8FC5C45DAC014EFAF5FBDEC062563761A29FE517EBF7BD90CED042631B76B05,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001954272Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:45.750{D25361F1-33B6-6307-7B00-000000007602}2184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=58F1A35A0148E85A48A46A6F9CC7D846,SHA256=4A816A3AE2714184372EF05A3B926E5561B525D1EE6E7C99E4D9058BF5C81C21,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001954271Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:45.289{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-52AD-6307-E404-000000007602}7476C:\Windows\SYSTEM32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954270Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:45.289{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-4AD7-6307-F503-000000007602}6996C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954269Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:45.289{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-4AD1-6307-F403-000000007602}7488C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954268Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:45.289{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-4AD0-6307-F303-000000007602}9620C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954267Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:45.289{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-4AB4-6307-EB03-000000007602}6088C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954266Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:45.289{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-4A8F-6307-EA03-000000007602}6404C:\Windows\system32\wbem\wmiprvse.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954265Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:45.289{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-49F6-6307-CD03-000000007602}7868C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954264Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:45.289{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-436A-6307-0703-000000007602}6260C:\Program Files\IDA Freeware 8.0\ida64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954263Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:45.289{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-4210-6307-D702-000000007602}7048C:\Windows\System32\win32calc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954262Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:45.289{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-37A5-6307-3901-000000007602}6588C:\Windows\ImmersiveControlPanel\SystemSettings.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954261Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:45.289{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-37A2-6307-3301-000000007602}5680C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954260Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:45.289{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-37A2-6307-3201-000000007602}3700C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954259Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:45.289{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-37A1-6307-3101-000000007602}4360C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954258Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:45.289{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-37A1-6307-3001-000000007602}5144C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954257Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:45.289{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-37A0-6307-2F01-000000007602}4596C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954256Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:45.289{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-361E-6307-FB00-000000007602}6112C:\Users\Administrator\Downloads\Procmon64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954255Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:45.289{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-35FB-6307-F000-000000007602}4288C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954254Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:45.289{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-35FB-6307-EF00-000000007602}4276C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954253Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:45.289{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-35E9-6307-E200-000000007602}5316C:\Program Files\Aurora-Agent\aurora-agent.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954252Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:45.289{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-35E2-6307-E000-000000007602}4860C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954251Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:45.289{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-35E2-6307-DF00-000000007602}4184C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954250Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:45.289{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-35E0-6307-DE00-000000007602}5008C:\Windows\Explorer.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954249Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:45.289{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-35E0-6307-D600-000000007602}4472C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954248Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:45.289{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-35E0-6307-D300-000000007602}4392C:\Windows\System32\rdpclip.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954247Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:45.289{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-35DE-6307-D000-000000007602}3896C:\Windows\system32\dwm.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954246Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:45.289{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-35DD-6307-CE00-000000007602}764C:\Windows\system32\winlogon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954245Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:45.289{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-35DD-6307-CD00-000000007602}1324C:\Windows\system32\csrss.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5d64|C:\Windows\System32\KERNELBASE.dll+25803|C:\Windows\System32\KERNEL32.DLL+169c0|C:\Users\Administrator\Downloads\procexp64.exe+a8288|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954244Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:45.289{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-341E-6307-8900-000000007602}3136C:\Windows\System32\msdtc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954243Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:45.289{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33B6-6307-7B00-000000007602}2184C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954242Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:45.289{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33AF-6307-7100-000000007602}3892C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954241Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:45.289{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A5-6307-4500-000000007602}3548C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954240Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:45.289{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A5-6307-4100-000000007602}3460C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954239Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:45.289{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A4-6307-3A00-000000007602}3188C:\Windows\System32\vds.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954238Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:45.289{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A4-6307-3700-000000007602}3120C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954237Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:45.289{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A3-6307-3100-000000007602}2960C:\Windows\system32\wbem\unsecapp.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954236Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:45.289{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A3-6307-2F00-000000007602}2772C:\Windows\system32\DFSRs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954235Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:45.289{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A3-6307-2E00-000000007602}2764C:\Windows\system32\dfssvc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954234Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:45.289{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A3-6307-2D00-000000007602}2752C:\Windows\System32\ismserv.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954233Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:45.289{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A3-6307-2C00-000000007602}2604C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954232Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:45.289{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A3-6307-2B00-000000007602}2596C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954231Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:45.289{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A3-6307-2800-000000007602}2568C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954230Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:45.289{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A3-6307-2900-000000007602}2580C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954229Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:45.289{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A3-6307-2700-000000007602}2560C:\Windows\system32\dns.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954228Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:45.289{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A3-6307-2600-000000007602}2552C:\Windows\sysmon64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954227Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:45.289{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A3-6307-2500-000000007602}2476C:\Windows\System32\spoolsv.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954226Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:45.289{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-339C-6307-2300-000000007602}2332C:\Windows\System32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954225Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:45.289{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3393-6307-1D00-000000007602}2088C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954224Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:45.289{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3393-6307-1700-000000007602}1396C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954223Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:45.289{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3393-6307-1600-000000007602}1308C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954222Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:45.289{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3392-6307-1500-000000007602}1256C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954221Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:45.289{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3392-6307-1400-000000007602}1084C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954220Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:45.289{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3392-6307-1300-000000007602}928C:\Windows\system32\dwm.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954219Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:45.289{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3392-6307-1200-000000007602}484C:\Windows\System32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954218Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:45.289{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3392-6307-1100-000000007602}420C:\Windows\System32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954217Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:45.289{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3392-6307-1000-000000007602}440C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954216Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:45.289{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3392-6307-0F00-000000007602}108C:\Windows\System32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954215Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:45.289{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3392-6307-0E00-000000007602}996C:\Windows\system32\LogonUI.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954214Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:45.289{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3392-6307-0D00-000000007602}892C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954213Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:45.289{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3392-6307-0C00-000000007602}836C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954212Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:45.289{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3390-6307-0B00-000000007602}632C:\Windows\system32\lsass.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954211Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:45.289{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3390-6307-0A00-000000007602}624C:\Windows\system32\services.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5d64|C:\Windows\System32\KERNELBASE.dll+25803|C:\Windows\System32\KERNEL32.DLL+169c0|C:\Users\Administrator\Downloads\procexp64.exe+a8288|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954210Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:45.289{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3390-6307-0900-000000007602}572C:\Windows\system32\winlogon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954209Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:45.289{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3390-6307-0800-000000007602}496C:\Windows\system32\csrss.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5d64|C:\Windows\System32\KERNELBASE.dll+25803|C:\Windows\System32\KERNEL32.DLL+169c0|C:\Users\Administrator\Downloads\procexp64.exe+a8288|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954208Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:45.289{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3390-6307-0700-000000007602}488C:\Windows\system32\wininit.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5d64|C:\Windows\System32\KERNELBASE.dll+25803|C:\Windows\System32\KERNEL32.DLL+169c0|C:\Users\Administrator\Downloads\procexp64.exe+a8288|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954207Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:45.289{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3390-6307-0500-000000007602}416C:\Windows\system32\csrss.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5d64|C:\Windows\System32\KERNELBASE.dll+25803|C:\Windows\System32\KERNEL32.DLL+169c0|C:\Users\Administrator\Downloads\procexp64.exe+a8288|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954206Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:45.289{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-338D-6307-0200-000000007602}320C:\Windows\System32\smss.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5d64|C:\Windows\System32\KERNELBASE.dll+25803|C:\Windows\System32\KERNEL32.DLL+169c0|C:\Users\Administrator\Downloads\procexp64.exe+a8288|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954205Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:45.289{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-338D-6307-0100-000000007602}4System0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5d64|C:\Windows\System32\KERNELBASE.dll+25803|C:\Windows\System32\KERNEL32.DLL+169c0|C:\Users\Administrator\Downloads\procexp64.exe+a8288|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000663290Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-25 10:59:46.557{F6DB49F2-3B66-6307-9E01-000000007702}44724556C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-49F4-6307-6303-000000007702}1616C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130DA3D0) 10341000x8000000000000000663289Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-25 10:59:46.556{F6DB49F2-3B66-6307-9E01-000000007702}44724556C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-3B71-6307-A901-000000007702}5084C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130DA3D0) 10341000x8000000000000000663288Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-25 10:59:46.556{F6DB49F2-3B66-6307-9E01-000000007702}44724556C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-3B71-6307-A801-000000007702}5076C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130DA3D0) 10341000x8000000000000000663287Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-25 10:59:46.543{F6DB49F2-3B66-6307-9E01-000000007702}44724556C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-3B5F-6307-9C01-000000007702}3680C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130DA3D0) 10341000x8000000000000000663286Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-25 10:59:46.528{F6DB49F2-3B66-6307-9E01-000000007702}44724556C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-3B5E-6307-9B01-000000007702}3404C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130DA3D0) 354300x8000000000000000663285Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-25 10:59:43.983{F6DB49F2-338F-6307-1000-000000007702}932C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse34.223.106.200ec2-34-223-106-200.us-west-2.compute.amazonaws.com57703-false10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal3389ms-wbt-server 10341000x8000000000000000663284Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-25 10:59:46.502{F6DB49F2-3B66-6307-9E01-000000007702}44724556C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-3B5D-6307-9801-000000007702}3868C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130DA3D0) 10341000x8000000000000000663283Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-25 10:59:46.495{F6DB49F2-3B66-6307-9E01-000000007702}44724556C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-3B5D-6307-8E01-000000007702}3892C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130DA3D0) 10341000x8000000000000000663282Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-25 10:59:46.487{F6DB49F2-3B66-6307-9E01-000000007702}44724556C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-3B5D-6307-8B01-000000007702}3988C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130DA3D0) 10341000x8000000000000000663281Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-25 10:59:46.480{F6DB49F2-3B66-6307-9E01-000000007702}44724556C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-3B5B-6307-8601-000000007702}1048C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130DA3D0) 10341000x8000000000000000663280Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-25 10:59:46.478{F6DB49F2-3B66-6307-9E01-000000007702}44724556C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-3B5B-6307-8401-000000007702}2780C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130DA3D0) 10341000x8000000000000000663279Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-25 10:59:46.474{F6DB49F2-3B66-6307-9E01-000000007702}44724556C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-340A-6307-8200-000000007702}1708C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130DA3D0) 10341000x8000000000000000663278Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-25 10:59:46.471{F6DB49F2-3B66-6307-9E01-000000007702}44724556C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-33A2-6307-6D00-000000007702}3760C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130DA3D0) 10341000x8000000000000000663277Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-25 10:59:46.465{F6DB49F2-3B66-6307-9E01-000000007702}44724556C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-339B-6307-6200-000000007702}3336C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130DA3D0) 10341000x8000000000000000663276Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-25 10:59:46.464{F6DB49F2-3B66-6307-9E01-000000007702}44724556C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-3392-6307-3D00-000000007702}2800C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130DA3D0) 10341000x8000000000000000663275Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-25 10:59:46.461{F6DB49F2-3B66-6307-9E01-000000007702}44724556C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-3392-6307-3C00-000000007702}3060C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130DA3D0) 10341000x8000000000000000663274Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-25 10:59:46.459{F6DB49F2-3B66-6307-9E01-000000007702}44724556C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-3391-6307-2B00-000000007702}2880C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130DA3D0) 10341000x8000000000000000663273Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-25 10:59:46.454{F6DB49F2-3B66-6307-9E01-000000007702}44724556C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-3391-6307-2500-000000007702}2544C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130DA3D0) 10341000x8000000000000000663272Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-25 10:59:46.452{F6DB49F2-3B66-6307-9E01-000000007702}44724556C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-3390-6307-2400-000000007702}2328C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130DA3D0) 10341000x8000000000000000663271Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-25 10:59:46.447{F6DB49F2-3B66-6307-9E01-000000007702}44724556C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-3390-6307-2200-000000007702}1196C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130DA3D0) 10341000x8000000000000000663270Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-25 10:59:46.443{F6DB49F2-3B66-6307-9E01-000000007702}44724556C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-3390-6307-2100-000000007702}2032C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130DA3D0) 10341000x8000000000000000663269Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-25 10:59:46.440{F6DB49F2-3B66-6307-9E01-000000007702}44724556C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-3390-6307-1F00-000000007702}1984C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130DA3D0) 10341000x8000000000000000663268Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-25 10:59:46.437{F6DB49F2-3B66-6307-9E01-000000007702}44724556C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-3390-6307-1E00-000000007702}1948C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130DA3D0) 10341000x8000000000000000663267Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-25 10:59:46.435{F6DB49F2-3B66-6307-9E01-000000007702}44724556C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-3390-6307-1C00-000000007702}1888C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130DA3D0) 10341000x8000000000000000663266Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-25 10:59:46.427{F6DB49F2-3B66-6307-9E01-000000007702}44724556C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-3390-6307-1900-000000007702}1776C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130DA3D0) 10341000x8000000000000000663265Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-25 10:59:46.425{F6DB49F2-3B66-6307-9E01-000000007702}44724556C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-3390-6307-1700-000000007702}1240C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130DA3D0) 10341000x8000000000000000663264Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-25 10:59:46.415{F6DB49F2-3B66-6307-9E01-000000007702}44724556C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-3390-6307-1600-000000007702}1188C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130DA3D0) 10341000x8000000000000000663263Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-25 10:59:46.405{F6DB49F2-3B66-6307-9E01-000000007702}44724556C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-3390-6307-1500-000000007702}1032C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130DA3D0) 10341000x8000000000000000663262Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-25 10:59:46.380{F6DB49F2-3B66-6307-9E01-000000007702}44724556C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-3390-6307-1400-000000007702}376C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130DA3D0) 10341000x8000000000000000663261Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-25 10:59:46.374{F6DB49F2-3B66-6307-9E01-000000007702}44724556C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-3390-6307-1300-000000007702}832C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130DA3D0) 10341000x8000000000000000663260Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-25 10:59:46.366{F6DB49F2-3B66-6307-9E01-000000007702}44724556C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-3390-6307-1200-000000007702}1016C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130DA3D0) 10341000x8000000000000000663259Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-25 10:59:46.358{F6DB49F2-3B66-6307-9E01-000000007702}44724556C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-3390-6307-1100-000000007702}964C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130DA3D0) 23542300x8000000000000000663258Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-25 10:59:46.351{F6DB49F2-33A2-6307-6D00-000000007702}3760NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=540D5265E0C159BEDAF7BCBC816E082E,SHA256=C942B4D6FD1FE11150184B6B090E839DFCA66B77B387971C2C959A4C9340643F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000663257Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-25 10:59:46.342{F6DB49F2-3B66-6307-9E01-000000007702}44724556C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-338F-6307-1000-000000007702}932C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130DA3D0) 10341000x8000000000000000663256Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-25 10:59:46.336{F6DB49F2-3B66-6307-9E01-000000007702}44724556C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-338F-6307-0F00-000000007702}900C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130DA3D0) 10341000x8000000000000000663255Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-25 10:59:46.329{F6DB49F2-3B66-6307-9E01-000000007702}44724556C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-338F-6307-0E00-000000007702}892C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130DA3D0) 10341000x8000000000000000663254Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-25 10:59:46.318{F6DB49F2-3B66-6307-9E01-000000007702}44724556C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-338F-6307-0D00-000000007702}788C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130DA3D0) 10341000x8000000000000000663253Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-25 10:59:46.309{F6DB49F2-3B66-6307-9E01-000000007702}44724556C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-338F-6307-0C00-000000007702}728C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130DA3D0) 10341000x8000000000000000663252Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-25 10:59:46.299{F6DB49F2-3B66-6307-9E01-000000007702}44724556C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-338F-6307-0B00-000000007702}632C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130DA3D0) 10341000x8000000000000000663251Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-25 10:59:46.296{F6DB49F2-3B66-6307-9E01-000000007702}44724556C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-338F-6307-0900-000000007702}572C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130DA3D0) 23542300x80000000000000001954341Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:46.866{D25361F1-33B6-6307-7B00-000000007602}2184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F3264D0623B57039936E17D9B967ADC0,SHA256=69DA2083CE62BCD42EA44A9CDB4A3945D62E4FCEBCD6835889129A3371F3A61D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001954340Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:46.349{D25361F1-33B6-6307-7B00-000000007602}2184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7AF98670E6AC65FB7705671C7B99CC03,SHA256=6F1F5CF2C77FC0A423524E40554A79764C1CEB41503E50D135197DD17E43FB96,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001954339Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:46.294{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-52AD-6307-E404-000000007602}7476C:\Windows\SYSTEM32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954338Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:46.294{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-4AD7-6307-F503-000000007602}6996C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954337Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:46.294{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-4AD1-6307-F403-000000007602}7488C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954336Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:46.294{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-4AD0-6307-F303-000000007602}9620C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954335Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:46.294{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-4AB4-6307-EB03-000000007602}6088C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954334Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:46.294{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-4A8F-6307-EA03-000000007602}6404C:\Windows\system32\wbem\wmiprvse.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954333Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:46.294{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-49F6-6307-CD03-000000007602}7868C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954332Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:46.294{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-436A-6307-0703-000000007602}6260C:\Program Files\IDA Freeware 8.0\ida64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954331Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:46.294{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-4210-6307-D702-000000007602}7048C:\Windows\System32\win32calc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954330Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:46.294{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-37A5-6307-3901-000000007602}6588C:\Windows\ImmersiveControlPanel\SystemSettings.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954329Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:46.294{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-37A2-6307-3301-000000007602}5680C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954328Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:46.294{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-37A2-6307-3201-000000007602}3700C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954327Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:46.294{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-37A1-6307-3101-000000007602}4360C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954326Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:46.294{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-37A1-6307-3001-000000007602}5144C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954325Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:46.294{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-37A0-6307-2F01-000000007602}4596C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954324Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:46.294{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-361E-6307-FB00-000000007602}6112C:\Users\Administrator\Downloads\Procmon64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954323Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:46.294{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-35FB-6307-F000-000000007602}4288C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954322Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:46.294{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-35FB-6307-EF00-000000007602}4276C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954321Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:46.294{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-35E9-6307-E200-000000007602}5316C:\Program Files\Aurora-Agent\aurora-agent.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954320Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:46.294{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-35E2-6307-E000-000000007602}4860C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954319Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:46.294{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-35E2-6307-DF00-000000007602}4184C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954318Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:46.294{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-35E0-6307-DE00-000000007602}5008C:\Windows\Explorer.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954317Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:46.294{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-35E0-6307-D600-000000007602}4472C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954316Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:46.294{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-35E0-6307-D300-000000007602}4392C:\Windows\System32\rdpclip.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954315Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:46.294{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-35DE-6307-D000-000000007602}3896C:\Windows\system32\dwm.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954314Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:46.294{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-35DD-6307-CE00-000000007602}764C:\Windows\system32\winlogon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954313Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:46.294{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-35DD-6307-CD00-000000007602}1324C:\Windows\system32\csrss.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5d64|C:\Windows\System32\KERNELBASE.dll+25803|C:\Windows\System32\KERNEL32.DLL+169c0|C:\Users\Administrator\Downloads\procexp64.exe+a8288|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954312Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:46.294{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-341E-6307-8900-000000007602}3136C:\Windows\System32\msdtc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954311Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:46.294{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33B6-6307-7B00-000000007602}2184C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954310Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:46.294{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33AF-6307-7100-000000007602}3892C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954309Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:46.294{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A5-6307-4500-000000007602}3548C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954308Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:46.294{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A5-6307-4100-000000007602}3460C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954307Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:46.294{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A4-6307-3A00-000000007602}3188C:\Windows\System32\vds.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954306Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:46.294{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A4-6307-3700-000000007602}3120C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954305Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:46.294{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A3-6307-3100-000000007602}2960C:\Windows\system32\wbem\unsecapp.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954304Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:46.294{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A3-6307-2F00-000000007602}2772C:\Windows\system32\DFSRs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954303Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:46.294{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A3-6307-2E00-000000007602}2764C:\Windows\system32\dfssvc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954302Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:46.294{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A3-6307-2D00-000000007602}2752C:\Windows\System32\ismserv.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954301Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:46.294{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A3-6307-2C00-000000007602}2604C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954300Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:46.294{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A3-6307-2B00-000000007602}2596C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954299Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:46.294{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A3-6307-2900-000000007602}2580C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954298Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:46.294{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A3-6307-2800-000000007602}2568C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954297Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:46.294{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A3-6307-2700-000000007602}2560C:\Windows\system32\dns.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954296Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:46.294{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A3-6307-2600-000000007602}2552C:\Windows\sysmon64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954295Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:46.294{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A3-6307-2500-000000007602}2476C:\Windows\System32\spoolsv.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954294Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:46.294{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-339C-6307-2300-000000007602}2332C:\Windows\System32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954293Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:46.294{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3393-6307-1D00-000000007602}2088C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954292Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:46.294{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3393-6307-1700-000000007602}1396C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954291Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:46.294{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3393-6307-1600-000000007602}1308C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954290Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:46.294{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3392-6307-1500-000000007602}1256C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954289Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:46.294{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3392-6307-1400-000000007602}1084C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954288Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:46.294{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3392-6307-1300-000000007602}928C:\Windows\system32\dwm.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954287Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:46.294{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3392-6307-1200-000000007602}484C:\Windows\System32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954286Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:46.294{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3392-6307-1100-000000007602}420C:\Windows\System32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954285Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:46.294{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3392-6307-1000-000000007602}440C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954284Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:46.294{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3392-6307-0F00-000000007602}108C:\Windows\System32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954283Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:46.294{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3392-6307-0E00-000000007602}996C:\Windows\system32\LogonUI.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954282Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:46.294{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3392-6307-0D00-000000007602}892C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954281Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:46.294{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3392-6307-0C00-000000007602}836C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954280Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:46.294{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3390-6307-0B00-000000007602}632C:\Windows\system32\lsass.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954279Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:46.294{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3390-6307-0A00-000000007602}624C:\Windows\system32\services.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5d64|C:\Windows\System32\KERNELBASE.dll+25803|C:\Windows\System32\KERNEL32.DLL+169c0|C:\Users\Administrator\Downloads\procexp64.exe+a8288|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954278Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:46.294{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3390-6307-0900-000000007602}572C:\Windows\system32\winlogon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954277Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:46.294{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3390-6307-0800-000000007602}496C:\Windows\system32\csrss.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5d64|C:\Windows\System32\KERNELBASE.dll+25803|C:\Windows\System32\KERNEL32.DLL+169c0|C:\Users\Administrator\Downloads\procexp64.exe+a8288|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954276Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:46.294{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3390-6307-0700-000000007602}488C:\Windows\system32\wininit.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5d64|C:\Windows\System32\KERNELBASE.dll+25803|C:\Windows\System32\KERNEL32.DLL+169c0|C:\Users\Administrator\Downloads\procexp64.exe+a8288|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954275Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:46.294{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3390-6307-0500-000000007602}416C:\Windows\system32\csrss.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5d64|C:\Windows\System32\KERNELBASE.dll+25803|C:\Windows\System32\KERNEL32.DLL+169c0|C:\Users\Administrator\Downloads\procexp64.exe+a8288|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954274Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:46.294{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-338D-6307-0200-000000007602}320C:\Windows\System32\smss.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5d64|C:\Windows\System32\KERNELBASE.dll+25803|C:\Windows\System32\KERNEL32.DLL+169c0|C:\Users\Administrator\Downloads\procexp64.exe+a8288|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954273Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:46.294{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-338D-6307-0100-000000007602}4System0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5d64|C:\Windows\System32\KERNELBASE.dll+25803|C:\Windows\System32\KERNEL32.DLL+169c0|C:\Users\Administrator\Downloads\procexp64.exe+a8288|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000663291Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-25 10:59:47.596{F6DB49F2-33A2-6307-6D00-000000007702}3760NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CB519E0A7533E6A7E5921A292A06A158,SHA256=767CBB519B68CFCF1E31D2722B81D5C26D5CFD324AEAF09C9C92E81EFD27301C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001954409Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:47.549{D25361F1-33B6-6307-7B00-000000007602}2184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0922F09EF29F4815C60B80244019AE03,SHA256=E61FEE1F3234F424D8BD8E91B177C65A8B04F2385BAD4BA9DDDDDF0BACF1B5BA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001954408Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:47.296{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-52AD-6307-E404-000000007602}7476C:\Windows\SYSTEM32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954407Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:47.296{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-4AD7-6307-F503-000000007602}6996C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954406Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:47.296{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-4AD1-6307-F403-000000007602}7488C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954405Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:47.296{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-4AD0-6307-F303-000000007602}9620C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954404Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:47.296{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-4AB4-6307-EB03-000000007602}6088C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954403Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:47.296{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-4A8F-6307-EA03-000000007602}6404C:\Windows\system32\wbem\wmiprvse.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954402Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:47.296{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-49F6-6307-CD03-000000007602}7868C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954401Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:47.296{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-436A-6307-0703-000000007602}6260C:\Program Files\IDA Freeware 8.0\ida64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954400Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:47.296{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-4210-6307-D702-000000007602}7048C:\Windows\System32\win32calc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954399Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:47.296{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-37A5-6307-3901-000000007602}6588C:\Windows\ImmersiveControlPanel\SystemSettings.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954398Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:47.296{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-37A2-6307-3301-000000007602}5680C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954397Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:47.296{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-37A2-6307-3201-000000007602}3700C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954396Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:47.296{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-37A1-6307-3101-000000007602}4360C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954395Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:47.296{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-37A1-6307-3001-000000007602}5144C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954394Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:47.296{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-37A0-6307-2F01-000000007602}4596C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954393Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:47.296{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-361E-6307-FB00-000000007602}6112C:\Users\Administrator\Downloads\Procmon64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954392Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:47.296{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-35FB-6307-F000-000000007602}4288C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954391Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:47.296{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-35FB-6307-EF00-000000007602}4276C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954390Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:47.296{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-35E9-6307-E200-000000007602}5316C:\Program Files\Aurora-Agent\aurora-agent.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954389Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:47.296{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-35E2-6307-E000-000000007602}4860C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954388Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:47.296{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-35E2-6307-DF00-000000007602}4184C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954387Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:47.296{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-35E0-6307-DE00-000000007602}5008C:\Windows\Explorer.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954386Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:47.296{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-35E0-6307-D600-000000007602}4472C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954385Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:47.296{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-35E0-6307-D300-000000007602}4392C:\Windows\System32\rdpclip.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954384Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:47.296{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-35DE-6307-D000-000000007602}3896C:\Windows\system32\dwm.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954383Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:47.296{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-35DD-6307-CE00-000000007602}764C:\Windows\system32\winlogon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954382Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:47.296{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-35DD-6307-CD00-000000007602}1324C:\Windows\system32\csrss.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5d64|C:\Windows\System32\KERNELBASE.dll+25803|C:\Windows\System32\KERNEL32.DLL+169c0|C:\Users\Administrator\Downloads\procexp64.exe+a8288|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954381Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:47.296{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-341E-6307-8900-000000007602}3136C:\Windows\System32\msdtc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954380Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:47.296{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33B6-6307-7B00-000000007602}2184C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954379Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:47.296{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33AF-6307-7100-000000007602}3892C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954378Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:47.296{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A5-6307-4500-000000007602}3548C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954377Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:47.296{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A5-6307-4100-000000007602}3460C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954376Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:47.296{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A4-6307-3A00-000000007602}3188C:\Windows\System32\vds.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954375Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:47.296{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A4-6307-3700-000000007602}3120C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954374Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:47.296{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A3-6307-3100-000000007602}2960C:\Windows\system32\wbem\unsecapp.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954373Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:47.296{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A3-6307-2F00-000000007602}2772C:\Windows\system32\DFSRs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954372Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:47.296{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A3-6307-2E00-000000007602}2764C:\Windows\system32\dfssvc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954371Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:47.296{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A3-6307-2D00-000000007602}2752C:\Windows\System32\ismserv.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954370Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:47.296{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A3-6307-2C00-000000007602}2604C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954369Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:47.296{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A3-6307-2B00-000000007602}2596C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954368Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:47.296{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A3-6307-2900-000000007602}2580C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954367Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:47.296{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A3-6307-2800-000000007602}2568C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954366Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:47.296{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A3-6307-2700-000000007602}2560C:\Windows\system32\dns.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954365Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:47.296{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A3-6307-2600-000000007602}2552C:\Windows\sysmon64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954364Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:47.296{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A3-6307-2500-000000007602}2476C:\Windows\System32\spoolsv.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954363Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:47.296{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-339C-6307-2300-000000007602}2332C:\Windows\System32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954362Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:47.296{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3393-6307-1D00-000000007602}2088C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954361Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:47.296{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3393-6307-1700-000000007602}1396C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954360Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:47.296{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3393-6307-1600-000000007602}1308C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954359Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:47.296{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3392-6307-1500-000000007602}1256C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954358Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:47.296{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3392-6307-1400-000000007602}1084C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954357Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:47.296{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3392-6307-1300-000000007602}928C:\Windows\system32\dwm.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954356Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:47.296{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3392-6307-1200-000000007602}484C:\Windows\System32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954355Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:47.296{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3392-6307-1100-000000007602}420C:\Windows\System32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954354Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:47.296{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3392-6307-1000-000000007602}440C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954353Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:47.296{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3392-6307-0F00-000000007602}108C:\Windows\System32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954352Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:47.296{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3392-6307-0E00-000000007602}996C:\Windows\system32\LogonUI.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954351Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:47.296{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3392-6307-0D00-000000007602}892C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954350Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:47.296{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3392-6307-0C00-000000007602}836C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954349Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:47.296{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3390-6307-0B00-000000007602}632C:\Windows\system32\lsass.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954348Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:47.296{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3390-6307-0A00-000000007602}624C:\Windows\system32\services.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5d64|C:\Windows\System32\KERNELBASE.dll+25803|C:\Windows\System32\KERNEL32.DLL+169c0|C:\Users\Administrator\Downloads\procexp64.exe+a8288|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954347Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:47.296{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3390-6307-0900-000000007602}572C:\Windows\system32\winlogon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954346Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:47.296{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3390-6307-0800-000000007602}496C:\Windows\system32\csrss.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5d64|C:\Windows\System32\KERNELBASE.dll+25803|C:\Windows\System32\KERNEL32.DLL+169c0|C:\Users\Administrator\Downloads\procexp64.exe+a8288|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954345Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:47.296{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3390-6307-0700-000000007602}488C:\Windows\system32\wininit.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5d64|C:\Windows\System32\KERNELBASE.dll+25803|C:\Windows\System32\KERNEL32.DLL+169c0|C:\Users\Administrator\Downloads\procexp64.exe+a8288|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954344Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:47.296{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3390-6307-0500-000000007602}416C:\Windows\system32\csrss.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5d64|C:\Windows\System32\KERNELBASE.dll+25803|C:\Windows\System32\KERNEL32.DLL+169c0|C:\Users\Administrator\Downloads\procexp64.exe+a8288|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954343Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:47.296{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-338D-6307-0200-000000007602}320C:\Windows\System32\smss.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5d64|C:\Windows\System32\KERNELBASE.dll+25803|C:\Windows\System32\KERNEL32.DLL+169c0|C:\Users\Administrator\Downloads\procexp64.exe+a8288|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954342Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:47.296{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-338D-6307-0100-000000007602}4System0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5d64|C:\Windows\System32\KERNELBASE.dll+25803|C:\Windows\System32\KERNEL32.DLL+169c0|C:\Users\Administrator\Downloads\procexp64.exe+a8288|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000663303Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-25 10:59:48.645{F6DB49F2-33A2-6307-6D00-000000007702}3760NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0647DF50FB684B9C02F9049D830A1A42,SHA256=16FDE24932B1E326AC2567008B341FF02FED6D9F72494AFDC5C378AD3E928254,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001954479Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:45.953{D25361F1-33AF-6307-7100-000000007602}3892C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-854.attackrange.local64277-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x80000000000000001954478Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:48.450{D25361F1-33B6-6307-7B00-000000007602}2184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FA78D1D22A9D84563546830BE0B54C5B,SHA256=5C9F3773CD3B2606F146528A33C8BB74F931046C47B5D4466CD907588D7C442B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001954477Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:48.318{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-52AD-6307-E404-000000007602}7476C:\Windows\SYSTEM32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954476Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:48.318{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-4AD7-6307-F503-000000007602}6996C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954475Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:48.318{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-4AD1-6307-F403-000000007602}7488C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000663302Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-25 10:59:48.578{F6DB49F2-338F-6307-0C00-000000007702}7284948C:\Windows\system32\svchost.exe{F6DB49F2-338F-6307-0B00-000000007702}632C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000663301Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-25 10:59:48.578{F6DB49F2-338F-6307-0C00-000000007702}7284948C:\Windows\system32\svchost.exe{F6DB49F2-338F-6307-0B00-000000007702}632C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000663300Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-25 10:59:48.578{F6DB49F2-338F-6307-0B00-000000007702}632680C:\Windows\system32\lsass.exe{F6DB49F2-3390-6307-1400-000000007702}376C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+1c2ad|C:\Windows\system32\lsasrv.dll+29260|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000663299Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-25 10:59:48.570{F6DB49F2-3B66-6307-9E01-000000007702}4472C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\fastprox.dll10.0.14393.0 (rs1_release.160715-1616)WMI Custom MarshallerMicrosoft® Windows® Operating SystemMicrosoft Corporationfastprox.dllMD5=FBA861EF9AE6F64CA375EEA558D3149B,SHA256=E7DA765AF081635A814E769967702B4711FC64E785EBA9757FFF4590B5C65A4B,IMPHASH=BEC4D2DC6E5428E09C45B14235429DCFtrueMicrosoft WindowsValid 734700x8000000000000000663298Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-25 10:59:48.570{F6DB49F2-3B66-6307-9E01-000000007702}4472C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\wbemsvc.dll10.0.14393.0 (rs1_release.160715-1616)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemsvc.dllMD5=75B865AD79ECEA39F566F4EE82B8EC07,SHA256=2C87DCCB0754D5B3A6C27D56E5F2093F987B91607A30F8B80EBCF055E43A47D5,IMPHASH=C49BA5C02FD2B43AF8015BD8DB280C09trueMicrosoft WindowsValid 734700x8000000000000000663297Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-25 10:59:48.569{F6DB49F2-3B66-6307-9E01-000000007702}4472C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\wmiutils.dll10.0.14393.4169 (rs1_release.210107-1130)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwmiutils.dllMD5=702319112D2F681C66B14498726FA574,SHA256=75BC4A81D38D7AF68B50B064E62C2C12D2CC40C7FDD22C805A7752F998DAE7BC,IMPHASH=56F5812B2484AA9836A89CDEBFF180F9trueMicrosoft WindowsValid 354300x8000000000000000663296Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-25 10:59:47.326{F6DB49F2-339B-6307-6200-000000007702}3336C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal51442-false10.0.1.12-8000- 734700x8000000000000000663295Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-25 10:59:48.565{F6DB49F2-3B66-6307-9E01-000000007702}4472C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\wbemprox.dll10.0.14393.4169 (rs1_release.210107-1130)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemprox.dllMD5=F14B95C2CD2AC79A48069C95C724EF55,SHA256=9EF2E84DFC50B37D790FA46ABB71AB540D1860B38C8778C092233683FCBDF366,IMPHASH=C93E7CA22B07D6A204D0EDA95C47798DtrueMicrosoft WindowsValid 734700x8000000000000000663294Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-25 10:59:48.565{F6DB49F2-3B66-6307-9E01-000000007702}4472C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbemcomn.dll10.0.14393.4530 (rs1_release.210705-0736)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemcomn.dllMD5=8AAD6DC39B4736CFF6433DB1830FCFFE,SHA256=6824B185E6B10B6F177B30517654DBE04857834026B301EFCED535654106965C,IMPHASH=8514CF5DB6BF3E4E3C129FB76ABCD096trueMicrosoft WindowsValid 734700x8000000000000000663293Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-25 10:59:48.565{F6DB49F2-3B66-6307-9E01-000000007702}4472C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\wbemdisp.dll10.0.14393.0 (rs1_release.160715-1616)WMI ScriptingMicrosoft® Windows® Operating SystemMicrosoft CorporationWBEMDISP.DLLMD5=33DAA92D1E0EFA99CC43F230425FC45C,SHA256=CC918882E63705189F4A906FF37FC1CDA98C364B3BF80AA3B8C3AB3B617730EC,IMPHASH=1C111878DECF803B4FA0CD5D5C40492AtrueMicrosoft WindowsValid 10341000x8000000000000000663292Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-25 10:59:48.564{F6DB49F2-338F-6307-0C00-000000007702}7284948C:\Windows\system32\svchost.exe{F6DB49F2-3B66-6307-9E01-000000007702}4472C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954474Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:48.318{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-4AD0-6307-F303-000000007602}9620C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954473Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:48.318{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-4AB4-6307-EB03-000000007602}6088C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954472Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:48.318{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-4A8F-6307-EA03-000000007602}6404C:\Windows\system32\wbem\wmiprvse.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954471Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:48.318{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-49F6-6307-CD03-000000007602}7868C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954470Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:48.318{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-436A-6307-0703-000000007602}6260C:\Program Files\IDA Freeware 8.0\ida64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954469Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:48.318{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-4210-6307-D702-000000007602}7048C:\Windows\System32\win32calc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954468Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:48.318{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-37A5-6307-3901-000000007602}6588C:\Windows\ImmersiveControlPanel\SystemSettings.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954467Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:48.318{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-37A2-6307-3301-000000007602}5680C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954466Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:48.318{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-37A2-6307-3201-000000007602}3700C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954465Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:48.318{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-37A1-6307-3101-000000007602}4360C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954464Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:48.318{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-37A1-6307-3001-000000007602}5144C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954463Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:48.318{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-37A0-6307-2F01-000000007602}4596C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954462Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:48.318{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-361E-6307-FB00-000000007602}6112C:\Users\Administrator\Downloads\Procmon64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954461Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:48.318{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-35FB-6307-F000-000000007602}4288C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954460Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:48.318{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-35FB-6307-EF00-000000007602}4276C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954459Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:48.318{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-35E9-6307-E200-000000007602}5316C:\Program Files\Aurora-Agent\aurora-agent.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954458Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:48.318{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-35E2-6307-E000-000000007602}4860C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954457Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:48.318{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-35E2-6307-DF00-000000007602}4184C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954456Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:48.318{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-35E0-6307-DE00-000000007602}5008C:\Windows\Explorer.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954455Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:48.318{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-35E0-6307-D600-000000007602}4472C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954454Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:48.318{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-35E0-6307-D300-000000007602}4392C:\Windows\System32\rdpclip.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954453Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:48.318{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-35DE-6307-D000-000000007602}3896C:\Windows\system32\dwm.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954452Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:48.318{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-35DD-6307-CE00-000000007602}764C:\Windows\system32\winlogon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954451Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:48.318{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-35DD-6307-CD00-000000007602}1324C:\Windows\system32\csrss.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5d64|C:\Windows\System32\KERNELBASE.dll+25803|C:\Windows\System32\KERNEL32.DLL+169c0|C:\Users\Administrator\Downloads\procexp64.exe+a8288|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954450Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:48.318{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-341E-6307-8900-000000007602}3136C:\Windows\System32\msdtc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954449Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:48.318{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33B6-6307-7B00-000000007602}2184C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954448Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:48.318{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33AF-6307-7100-000000007602}3892C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954447Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:48.318{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A5-6307-4500-000000007602}3548C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954446Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:48.318{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A5-6307-4100-000000007602}3460C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954445Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:48.318{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A4-6307-3A00-000000007602}3188C:\Windows\System32\vds.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954444Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:48.318{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A4-6307-3700-000000007602}3120C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954443Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:48.318{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A3-6307-3100-000000007602}2960C:\Windows\system32\wbem\unsecapp.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954442Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:48.318{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A3-6307-2F00-000000007602}2772C:\Windows\system32\DFSRs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954441Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:48.318{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A3-6307-2E00-000000007602}2764C:\Windows\system32\dfssvc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954440Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:48.318{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A3-6307-2D00-000000007602}2752C:\Windows\System32\ismserv.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954439Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:48.318{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A3-6307-2C00-000000007602}2604C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954438Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:48.318{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A3-6307-2B00-000000007602}2596C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954437Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:48.318{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A3-6307-2900-000000007602}2580C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954436Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:48.317{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A3-6307-2800-000000007602}2568C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954435Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:48.317{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A3-6307-2700-000000007602}2560C:\Windows\system32\dns.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954434Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:48.317{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A3-6307-2600-000000007602}2552C:\Windows\sysmon64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954433Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:48.316{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A3-6307-2500-000000007602}2476C:\Windows\System32\spoolsv.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954432Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:48.316{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-339C-6307-2300-000000007602}2332C:\Windows\System32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954431Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:48.316{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3393-6307-1D00-000000007602}2088C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954430Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:48.316{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3393-6307-1700-000000007602}1396C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954429Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:48.316{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3393-6307-1600-000000007602}1308C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954428Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:48.316{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3392-6307-1500-000000007602}1256C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954427Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:48.316{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3392-6307-1400-000000007602}1084C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954426Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:48.316{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3392-6307-1300-000000007602}928C:\Windows\system32\dwm.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954425Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:48.315{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3392-6307-1200-000000007602}484C:\Windows\System32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954424Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:48.315{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3392-6307-1100-000000007602}420C:\Windows\System32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954423Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:48.315{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3392-6307-1000-000000007602}440C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954422Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:48.315{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3392-6307-0F00-000000007602}108C:\Windows\System32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954421Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:48.315{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3392-6307-0E00-000000007602}996C:\Windows\system32\LogonUI.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954420Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:48.315{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3392-6307-0D00-000000007602}892C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954419Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:48.315{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3392-6307-0C00-000000007602}836C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954418Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:48.314{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3390-6307-0B00-000000007602}632C:\Windows\system32\lsass.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954417Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:48.314{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3390-6307-0A00-000000007602}624C:\Windows\system32\services.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5d64|C:\Windows\System32\KERNELBASE.dll+25803|C:\Windows\System32\KERNEL32.DLL+169c0|C:\Users\Administrator\Downloads\procexp64.exe+a8288|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954416Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:48.314{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3390-6307-0900-000000007602}572C:\Windows\system32\winlogon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954415Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:48.314{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3390-6307-0800-000000007602}496C:\Windows\system32\csrss.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5d64|C:\Windows\System32\KERNELBASE.dll+25803|C:\Windows\System32\KERNEL32.DLL+169c0|C:\Users\Administrator\Downloads\procexp64.exe+a8288|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954414Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:48.314{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3390-6307-0700-000000007602}488C:\Windows\system32\wininit.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5d64|C:\Windows\System32\KERNELBASE.dll+25803|C:\Windows\System32\KERNEL32.DLL+169c0|C:\Users\Administrator\Downloads\procexp64.exe+a8288|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954413Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:48.314{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3390-6307-0500-000000007602}416C:\Windows\system32\csrss.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5d64|C:\Windows\System32\KERNELBASE.dll+25803|C:\Windows\System32\KERNEL32.DLL+169c0|C:\Users\Administrator\Downloads\procexp64.exe+a8288|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954412Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:48.313{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-338D-6307-0200-000000007602}320C:\Windows\System32\smss.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5d64|C:\Windows\System32\KERNELBASE.dll+25803|C:\Windows\System32\KERNEL32.DLL+169c0|C:\Users\Administrator\Downloads\procexp64.exe+a8288|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954411Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:48.313{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-338D-6307-0100-000000007602}4System0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5d64|C:\Windows\System32\KERNELBASE.dll+25803|C:\Windows\System32\KERNEL32.DLL+169c0|C:\Users\Administrator\Downloads\procexp64.exe+a8288|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x80000000000000001954410Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:47.996{D25361F1-33B6-6307-7B00-000000007602}2184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4655DDA7B17237758113F47CB6F90391,SHA256=97F9A4DB3BB1CCF12CC6AA1D8B8DBC1EBF60CAADEBD55E1E56B3BB6AF19C6B5F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000663304Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-25 10:59:49.724{F6DB49F2-33A2-6307-6D00-000000007702}3760NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EB79E32BE01AF9DE5582AB806BBFF023,SHA256=6E778847665922BE09AE3BA8065506108848A440331E0BF9A1AB2577ADBA42CA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001954549Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:49.565{D25361F1-33B6-6307-7B00-000000007602}2184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=12C4AEF8A4292B4E3904D1F2D2B4FE1E,SHA256=22597A23F6E658FA451C4F978025E5BE0E69D18F1014AD2AD86A88C34EC9E4E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001954548Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:49.364{D25361F1-33B6-6307-7B00-000000007602}2184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=75FE5C508A144E102459B14DB4867CC8,SHA256=52679DFA7A2E177FEDEB5831366DEEB019BDEFCF7711DF9EC59832F1ACF7EFB2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001954547Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:49.333{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-52AD-6307-E404-000000007602}7476C:\Windows\SYSTEM32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954546Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:49.333{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-4AD7-6307-F503-000000007602}6996C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954545Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:49.333{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-4AD1-6307-F403-000000007602}7488C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954544Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:49.333{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-4AD0-6307-F303-000000007602}9620C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954543Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:49.333{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-4AB4-6307-EB03-000000007602}6088C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954542Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:49.333{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-4A8F-6307-EA03-000000007602}6404C:\Windows\system32\wbem\wmiprvse.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954541Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:49.333{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-49F6-6307-CD03-000000007602}7868C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954540Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:49.333{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-436A-6307-0703-000000007602}6260C:\Program Files\IDA Freeware 8.0\ida64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954539Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:49.333{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-4210-6307-D702-000000007602}7048C:\Windows\System32\win32calc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954538Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:49.333{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-37A5-6307-3901-000000007602}6588C:\Windows\ImmersiveControlPanel\SystemSettings.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954537Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:49.333{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-37A2-6307-3301-000000007602}5680C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954536Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:49.333{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-37A2-6307-3201-000000007602}3700C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954535Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:49.333{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-37A1-6307-3101-000000007602}4360C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954534Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:49.333{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-37A1-6307-3001-000000007602}5144C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954533Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:49.333{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-37A0-6307-2F01-000000007602}4596C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954532Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:49.333{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-361E-6307-FB00-000000007602}6112C:\Users\Administrator\Downloads\Procmon64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954531Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:49.333{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-35FB-6307-F000-000000007602}4288C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954530Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:49.333{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-35FB-6307-EF00-000000007602}4276C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954529Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:49.333{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-35E9-6307-E200-000000007602}5316C:\Program Files\Aurora-Agent\aurora-agent.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954528Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:49.333{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-35E2-6307-E000-000000007602}4860C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954527Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:49.333{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-35E2-6307-DF00-000000007602}4184C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954526Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:49.333{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-35E0-6307-DE00-000000007602}5008C:\Windows\Explorer.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954525Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:49.333{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-35E0-6307-D600-000000007602}4472C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954524Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:49.333{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-35E0-6307-D300-000000007602}4392C:\Windows\System32\rdpclip.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954523Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:49.333{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-35DE-6307-D000-000000007602}3896C:\Windows\system32\dwm.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954522Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:49.333{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-35DD-6307-CE00-000000007602}764C:\Windows\system32\winlogon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954521Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:49.333{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-35DD-6307-CD00-000000007602}1324C:\Windows\system32\csrss.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5d64|C:\Windows\System32\KERNELBASE.dll+25803|C:\Windows\System32\KERNEL32.DLL+169c0|C:\Users\Administrator\Downloads\procexp64.exe+a8288|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954520Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:49.333{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-341E-6307-8900-000000007602}3136C:\Windows\System32\msdtc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954519Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:49.333{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33B6-6307-7B00-000000007602}2184C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954518Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:49.333{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33AF-6307-7100-000000007602}3892C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954517Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:49.333{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A5-6307-4500-000000007602}3548C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954516Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:49.333{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A5-6307-4100-000000007602}3460C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954515Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:49.333{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A4-6307-3A00-000000007602}3188C:\Windows\System32\vds.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954514Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:49.333{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A4-6307-3700-000000007602}3120C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954513Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:49.333{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A3-6307-3100-000000007602}2960C:\Windows\system32\wbem\unsecapp.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954512Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:49.333{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A3-6307-2F00-000000007602}2772C:\Windows\system32\DFSRs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954511Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:49.333{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A3-6307-2E00-000000007602}2764C:\Windows\system32\dfssvc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954510Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:49.333{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A3-6307-2D00-000000007602}2752C:\Windows\System32\ismserv.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954509Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:49.333{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A3-6307-2C00-000000007602}2604C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954508Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:49.333{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A3-6307-2B00-000000007602}2596C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954507Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:49.333{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A3-6307-2900-000000007602}2580C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954506Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:49.333{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A3-6307-2800-000000007602}2568C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954505Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:49.333{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A3-6307-2700-000000007602}2560C:\Windows\system32\dns.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954504Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:49.333{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A3-6307-2600-000000007602}2552C:\Windows\sysmon64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954503Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:49.333{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A3-6307-2500-000000007602}2476C:\Windows\System32\spoolsv.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954502Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:49.333{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-339C-6307-2300-000000007602}2332C:\Windows\System32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954501Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:49.333{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3393-6307-1D00-000000007602}2088C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954500Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:49.333{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3393-6307-1700-000000007602}1396C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954499Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:49.333{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3393-6307-1600-000000007602}1308C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954498Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:49.333{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3392-6307-1500-000000007602}1256C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954497Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:49.333{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3392-6307-1400-000000007602}1084C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954496Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:49.333{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3392-6307-1300-000000007602}928C:\Windows\system32\dwm.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954495Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:49.333{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3392-6307-1200-000000007602}484C:\Windows\System32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954494Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:49.333{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3392-6307-1100-000000007602}420C:\Windows\System32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954493Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:49.333{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3392-6307-1000-000000007602}440C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954492Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:49.333{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3392-6307-0F00-000000007602}108C:\Windows\System32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954491Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:49.333{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3392-6307-0E00-000000007602}996C:\Windows\system32\LogonUI.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954490Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:49.333{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3392-6307-0C00-000000007602}836C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954489Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:49.333{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3392-6307-0D00-000000007602}892C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954488Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:49.333{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3390-6307-0B00-000000007602}632C:\Windows\system32\lsass.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954487Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:49.333{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3390-6307-0A00-000000007602}624C:\Windows\system32\services.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5d64|C:\Windows\System32\KERNELBASE.dll+25803|C:\Windows\System32\KERNEL32.DLL+169c0|C:\Users\Administrator\Downloads\procexp64.exe+a8288|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954486Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:49.333{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3390-6307-0900-000000007602}572C:\Windows\system32\winlogon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954485Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:49.333{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3390-6307-0800-000000007602}496C:\Windows\system32\csrss.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5d64|C:\Windows\System32\KERNELBASE.dll+25803|C:\Windows\System32\KERNEL32.DLL+169c0|C:\Users\Administrator\Downloads\procexp64.exe+a8288|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954484Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:49.333{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3390-6307-0700-000000007602}488C:\Windows\system32\wininit.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5d64|C:\Windows\System32\KERNELBASE.dll+25803|C:\Windows\System32\KERNEL32.DLL+169c0|C:\Users\Administrator\Downloads\procexp64.exe+a8288|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954483Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:49.333{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3390-6307-0500-000000007602}416C:\Windows\system32\csrss.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5d64|C:\Windows\System32\KERNELBASE.dll+25803|C:\Windows\System32\KERNEL32.DLL+169c0|C:\Users\Administrator\Downloads\procexp64.exe+a8288|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954482Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:49.333{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-338D-6307-0200-000000007602}320C:\Windows\System32\smss.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5d64|C:\Windows\System32\KERNELBASE.dll+25803|C:\Windows\System32\KERNEL32.DLL+169c0|C:\Users\Administrator\Downloads\procexp64.exe+a8288|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954481Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:49.333{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-338D-6307-0100-000000007602}4System0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5d64|C:\Windows\System32\KERNELBASE.dll+25803|C:\Windows\System32\KERNEL32.DLL+169c0|C:\Users\Administrator\Downloads\procexp64.exe+a8288|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x80000000000000001954480Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:49.116{D25361F1-33B6-6307-7B00-000000007602}2184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4ABFB334328BBC958E83AAF3374F9E8E,SHA256=4446E8CE5D8CDB81DF4383306230ABBB279CEEB8B5B8FA16187A661265300792,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000663305Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-25 10:59:50.822{F6DB49F2-33A2-6307-6D00-000000007702}3760NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B220F9AE9DE4A9020DE935622A5D3611,SHA256=DBDB1CE06547260A3E7EEFD5C454F4B34081BC54E13B1170E2BF78C7E2E0ECE0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001954622Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:50.832{D25361F1-37A0-6307-2F01-000000007602}4596ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\nzjzgcj5.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001954621Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:50.832{D25361F1-37A0-6307-2F01-000000007602}4596ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\nzjzgcj5.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite-shmMD5=D921CD704153AC1BECCA3CB485CDC7ED,SHA256=863E414D8D23CA54FAFD8695220651DEC88528CC2673F6C7109945A6D0B2E5E1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001954620Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:50.779{D25361F1-33A3-6307-2C00-000000007602}2604NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=522058B0979AC7ECFCFCCE645860885D,SHA256=A1B34FA557EC9F0FD764D644063E947F49CCD14F56A9791DD56CB8168C5D9442,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001954619Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:50.695{D25361F1-33B6-6307-7B00-000000007602}2184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7F2C977CDFB6C60EE5F209CE8B2F0E3B,SHA256=7DB37517618486D39F650C701B11EDB47CBE1AA3223CBE49AFB73D09FFC0FAD6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001954618Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:50.348{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-52AD-6307-E404-000000007602}7476C:\Windows\SYSTEM32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954617Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:50.348{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-4AD7-6307-F503-000000007602}6996C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954616Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:50.348{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-4AD1-6307-F403-000000007602}7488C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954615Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:50.348{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-4AD0-6307-F303-000000007602}9620C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954614Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:50.348{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-4AB4-6307-EB03-000000007602}6088C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954613Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:50.348{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-49F6-6307-CD03-000000007602}7868C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954612Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:50.348{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-4A8F-6307-EA03-000000007602}6404C:\Windows\system32\wbem\wmiprvse.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954611Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:50.348{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-436A-6307-0703-000000007602}6260C:\Program Files\IDA Freeware 8.0\ida64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954610Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:50.348{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-4210-6307-D702-000000007602}7048C:\Windows\System32\win32calc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954609Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:50.348{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-37A5-6307-3901-000000007602}6588C:\Windows\ImmersiveControlPanel\SystemSettings.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954608Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:50.348{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-37A2-6307-3301-000000007602}5680C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954607Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:50.348{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-37A2-6307-3201-000000007602}3700C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954606Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:50.348{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-37A1-6307-3101-000000007602}4360C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954605Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:50.348{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-37A1-6307-3001-000000007602}5144C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954604Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:50.348{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-37A0-6307-2F01-000000007602}4596C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954603Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:50.348{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-361E-6307-FB00-000000007602}6112C:\Users\Administrator\Downloads\Procmon64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954602Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:50.348{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-35FB-6307-F000-000000007602}4288C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954601Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:50.348{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-35FB-6307-EF00-000000007602}4276C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954600Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:50.348{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-35E9-6307-E200-000000007602}5316C:\Program Files\Aurora-Agent\aurora-agent.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954599Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:50.348{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-35E2-6307-E000-000000007602}4860C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954598Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:50.348{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-35E2-6307-DF00-000000007602}4184C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954597Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:50.348{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-35E0-6307-DE00-000000007602}5008C:\Windows\Explorer.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954596Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:50.348{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-35E0-6307-D600-000000007602}4472C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954595Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:50.348{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-35E0-6307-D300-000000007602}4392C:\Windows\System32\rdpclip.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954594Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:50.348{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-35DE-6307-D000-000000007602}3896C:\Windows\system32\dwm.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954593Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:50.348{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-35DD-6307-CE00-000000007602}764C:\Windows\system32\winlogon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954592Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:50.348{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-35DD-6307-CD00-000000007602}1324C:\Windows\system32\csrss.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5d64|C:\Windows\System32\KERNELBASE.dll+25803|C:\Windows\System32\KERNEL32.DLL+169c0|C:\Users\Administrator\Downloads\procexp64.exe+a8288|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954591Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:50.348{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-341E-6307-8900-000000007602}3136C:\Windows\System32\msdtc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954590Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:50.348{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33B6-6307-7B00-000000007602}2184C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954589Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:50.348{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33AF-6307-7100-000000007602}3892C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954588Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:50.348{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A5-6307-4500-000000007602}3548C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954587Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:50.348{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A5-6307-4100-000000007602}3460C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954586Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:50.348{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A4-6307-3A00-000000007602}3188C:\Windows\System32\vds.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954585Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:50.348{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A4-6307-3700-000000007602}3120C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954584Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:50.348{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A3-6307-3100-000000007602}2960C:\Windows\system32\wbem\unsecapp.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954583Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:50.348{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A3-6307-2F00-000000007602}2772C:\Windows\system32\DFSRs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954582Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:50.348{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A3-6307-2E00-000000007602}2764C:\Windows\system32\dfssvc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954581Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:50.348{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A3-6307-2D00-000000007602}2752C:\Windows\System32\ismserv.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954580Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:50.348{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A3-6307-2C00-000000007602}2604C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954579Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:50.348{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A3-6307-2B00-000000007602}2596C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954578Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:50.348{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A3-6307-2800-000000007602}2568C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954577Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:50.348{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A3-6307-2900-000000007602}2580C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954576Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:50.348{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A3-6307-2700-000000007602}2560C:\Windows\system32\dns.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954575Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:50.348{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A3-6307-2600-000000007602}2552C:\Windows\sysmon64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954574Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:50.348{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A3-6307-2500-000000007602}2476C:\Windows\System32\spoolsv.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954573Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:50.348{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-339C-6307-2300-000000007602}2332C:\Windows\System32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954572Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:50.348{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3393-6307-1D00-000000007602}2088C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954571Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:50.348{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3393-6307-1700-000000007602}1396C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954570Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:50.348{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3393-6307-1600-000000007602}1308C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954569Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:50.348{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3392-6307-1500-000000007602}1256C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954568Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:50.348{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3392-6307-1400-000000007602}1084C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954567Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:50.348{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3392-6307-1300-000000007602}928C:\Windows\system32\dwm.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954566Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:50.348{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3392-6307-1200-000000007602}484C:\Windows\System32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954565Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:50.348{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3392-6307-1100-000000007602}420C:\Windows\System32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954564Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:50.348{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3392-6307-1000-000000007602}440C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954563Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:50.348{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3392-6307-0F00-000000007602}108C:\Windows\System32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954562Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:50.348{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3392-6307-0E00-000000007602}996C:\Windows\system32\LogonUI.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954561Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:50.348{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3392-6307-0D00-000000007602}892C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954560Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:50.348{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3392-6307-0C00-000000007602}836C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954559Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:50.348{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3390-6307-0B00-000000007602}632C:\Windows\system32\lsass.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954558Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:50.348{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3390-6307-0A00-000000007602}624C:\Windows\system32\services.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5d64|C:\Windows\System32\KERNELBASE.dll+25803|C:\Windows\System32\KERNEL32.DLL+169c0|C:\Users\Administrator\Downloads\procexp64.exe+a8288|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954557Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:50.348{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3390-6307-0900-000000007602}572C:\Windows\system32\winlogon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954556Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:50.348{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3390-6307-0800-000000007602}496C:\Windows\system32\csrss.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5d64|C:\Windows\System32\KERNELBASE.dll+25803|C:\Windows\System32\KERNEL32.DLL+169c0|C:\Users\Administrator\Downloads\procexp64.exe+a8288|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954555Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:50.348{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3390-6307-0700-000000007602}488C:\Windows\system32\wininit.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5d64|C:\Windows\System32\KERNELBASE.dll+25803|C:\Windows\System32\KERNEL32.DLL+169c0|C:\Users\Administrator\Downloads\procexp64.exe+a8288|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954554Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:50.348{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3390-6307-0500-000000007602}416C:\Windows\system32\csrss.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5d64|C:\Windows\System32\KERNELBASE.dll+25803|C:\Windows\System32\KERNEL32.DLL+169c0|C:\Users\Administrator\Downloads\procexp64.exe+a8288|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954553Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:50.348{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-338D-6307-0200-000000007602}320C:\Windows\System32\smss.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5d64|C:\Windows\System32\KERNELBASE.dll+25803|C:\Windows\System32\KERNEL32.DLL+169c0|C:\Users\Administrator\Downloads\procexp64.exe+a8288|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954552Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:50.348{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-338D-6307-0100-000000007602}4System0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5d64|C:\Windows\System32\KERNELBASE.dll+25803|C:\Windows\System32\KERNEL32.DLL+169c0|C:\Users\Administrator\Downloads\procexp64.exe+a8288|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x80000000000000001954551Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:50.215{D25361F1-33B6-6307-7B00-000000007602}2184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3696C39FD183789449413F529A1BC852,SHA256=B35B3B3A79F3F104345B5C8206D94AF0850971DB97F588D8D15B4C4C502D3E01,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001954550Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:50.095{D25361F1-33A3-6307-2C00-000000007602}2604NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=034024099B93D4CE4EC85DF5DF56C7CC,SHA256=40150E0A0A7C68FF470300BC6791DDE55E52FD6898FD91CC64093C6C1F346EDD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000663306Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-25 10:59:51.908{F6DB49F2-33A2-6307-6D00-000000007702}3760NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D89408AF9D8A54EB7FE3E0C95EAD6618,SHA256=2F2C3ACEC4D76C63EC7D09310CC37662D8EC3564B1025D0EBA43E5F56B7A4182,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001954692Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:49.815{D25361F1-33A3-6307-2C00-000000007602}2604C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-854.attackrange.local64278-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8089- 23542300x80000000000000001954691Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:51.817{D25361F1-33B6-6307-7B00-000000007602}2184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9E8C7F4F15ECD674D5FB636F17551907,SHA256=977494882EF0FD23A98E8FEBC418C989096D1D98039B5BB69A26603953C4D924,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001954690Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:51.366{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-52AD-6307-E404-000000007602}7476C:\Windows\SYSTEM32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954689Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:51.366{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-4AD7-6307-F503-000000007602}6996C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954688Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:51.366{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-4AD1-6307-F403-000000007602}7488C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954687Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:51.366{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-4AD0-6307-F303-000000007602}9620C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954686Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:51.366{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-4AB4-6307-EB03-000000007602}6088C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954685Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:51.366{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-4A8F-6307-EA03-000000007602}6404C:\Windows\system32\wbem\wmiprvse.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954684Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:51.366{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-49F6-6307-CD03-000000007602}7868C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954683Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:51.366{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-436A-6307-0703-000000007602}6260C:\Program Files\IDA Freeware 8.0\ida64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954682Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:51.366{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-4210-6307-D702-000000007602}7048C:\Windows\System32\win32calc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954681Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:51.366{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-37A5-6307-3901-000000007602}6588C:\Windows\ImmersiveControlPanel\SystemSettings.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954680Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:51.366{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-37A2-6307-3301-000000007602}5680C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954679Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:51.366{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-37A2-6307-3201-000000007602}3700C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954678Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:51.366{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-37A1-6307-3101-000000007602}4360C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954677Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:51.366{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-37A1-6307-3001-000000007602}5144C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954676Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:51.366{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-37A0-6307-2F01-000000007602}4596C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954675Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:51.366{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-361E-6307-FB00-000000007602}6112C:\Users\Administrator\Downloads\Procmon64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954674Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:51.366{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-35FB-6307-F000-000000007602}4288C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954673Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:51.366{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-35FB-6307-EF00-000000007602}4276C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954672Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:51.366{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-35E9-6307-E200-000000007602}5316C:\Program Files\Aurora-Agent\aurora-agent.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954671Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:51.366{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-35E2-6307-E000-000000007602}4860C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954670Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:51.366{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-35E2-6307-DF00-000000007602}4184C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954669Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:51.366{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-35E0-6307-DE00-000000007602}5008C:\Windows\Explorer.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954668Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:51.366{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-35E0-6307-D600-000000007602}4472C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954667Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:51.366{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-35E0-6307-D300-000000007602}4392C:\Windows\System32\rdpclip.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954666Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:51.366{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-35DE-6307-D000-000000007602}3896C:\Windows\system32\dwm.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954665Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:51.366{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-35DD-6307-CE00-000000007602}764C:\Windows\system32\winlogon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954664Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:51.366{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-35DD-6307-CD00-000000007602}1324C:\Windows\system32\csrss.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5d64|C:\Windows\System32\KERNELBASE.dll+25803|C:\Windows\System32\KERNEL32.DLL+169c0|C:\Users\Administrator\Downloads\procexp64.exe+a8288|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954663Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:51.366{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-341E-6307-8900-000000007602}3136C:\Windows\System32\msdtc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954662Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:51.366{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33B6-6307-7B00-000000007602}2184C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954661Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:51.366{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A5-6307-4500-000000007602}3548C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954660Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:51.366{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33AF-6307-7100-000000007602}3892C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954659Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:51.366{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A5-6307-4100-000000007602}3460C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954658Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:51.366{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A4-6307-3A00-000000007602}3188C:\Windows\System32\vds.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954657Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:51.366{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A4-6307-3700-000000007602}3120C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954656Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:51.366{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A3-6307-3100-000000007602}2960C:\Windows\system32\wbem\unsecapp.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954655Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:51.366{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A3-6307-2F00-000000007602}2772C:\Windows\system32\DFSRs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954654Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:51.366{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A3-6307-2E00-000000007602}2764C:\Windows\system32\dfssvc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954653Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:51.366{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A3-6307-2D00-000000007602}2752C:\Windows\System32\ismserv.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954652Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:51.366{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A3-6307-2C00-000000007602}2604C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954651Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:51.366{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A3-6307-2B00-000000007602}2596C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954650Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:51.366{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A3-6307-2900-000000007602}2580C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954649Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:51.366{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A3-6307-2800-000000007602}2568C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954648Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:51.366{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A3-6307-2700-000000007602}2560C:\Windows\system32\dns.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954647Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:51.366{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A3-6307-2600-000000007602}2552C:\Windows\sysmon64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954646Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:51.366{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A3-6307-2500-000000007602}2476C:\Windows\System32\spoolsv.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954645Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:51.366{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-339C-6307-2300-000000007602}2332C:\Windows\System32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954644Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:51.366{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3393-6307-1D00-000000007602}2088C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954643Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:51.366{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3393-6307-1700-000000007602}1396C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954642Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:51.366{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3393-6307-1600-000000007602}1308C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954641Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:51.366{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3392-6307-1500-000000007602}1256C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954640Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:51.366{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3392-6307-1400-000000007602}1084C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954639Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:51.366{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3392-6307-1300-000000007602}928C:\Windows\system32\dwm.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954638Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:51.366{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3392-6307-1200-000000007602}484C:\Windows\System32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954637Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:51.366{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3392-6307-1100-000000007602}420C:\Windows\System32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954636Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:51.366{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3392-6307-1000-000000007602}440C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954635Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:51.366{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3392-6307-0F00-000000007602}108C:\Windows\System32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954634Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:51.366{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3392-6307-0E00-000000007602}996C:\Windows\system32\LogonUI.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954633Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:51.366{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3392-6307-0D00-000000007602}892C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954632Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:51.366{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3392-6307-0C00-000000007602}836C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954631Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:51.366{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3390-6307-0B00-000000007602}632C:\Windows\system32\lsass.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954630Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:51.366{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3390-6307-0A00-000000007602}624C:\Windows\system32\services.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5d64|C:\Windows\System32\KERNELBASE.dll+25803|C:\Windows\System32\KERNEL32.DLL+169c0|C:\Users\Administrator\Downloads\procexp64.exe+a8288|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954629Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:51.366{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3390-6307-0900-000000007602}572C:\Windows\system32\winlogon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954628Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:51.366{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3390-6307-0800-000000007602}496C:\Windows\system32\csrss.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5d64|C:\Windows\System32\KERNELBASE.dll+25803|C:\Windows\System32\KERNEL32.DLL+169c0|C:\Users\Administrator\Downloads\procexp64.exe+a8288|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954627Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:51.366{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3390-6307-0700-000000007602}488C:\Windows\system32\wininit.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5d64|C:\Windows\System32\KERNELBASE.dll+25803|C:\Windows\System32\KERNEL32.DLL+169c0|C:\Users\Administrator\Downloads\procexp64.exe+a8288|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954626Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:51.366{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3390-6307-0500-000000007602}416C:\Windows\system32\csrss.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5d64|C:\Windows\System32\KERNELBASE.dll+25803|C:\Windows\System32\KERNEL32.DLL+169c0|C:\Users\Administrator\Downloads\procexp64.exe+a8288|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954625Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:51.366{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-338D-6307-0200-000000007602}320C:\Windows\System32\smss.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5d64|C:\Windows\System32\KERNELBASE.dll+25803|C:\Windows\System32\KERNEL32.DLL+169c0|C:\Users\Administrator\Downloads\procexp64.exe+a8288|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954624Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:51.366{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-338D-6307-0100-000000007602}4System0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5d64|C:\Windows\System32\KERNELBASE.dll+25803|C:\Windows\System32\KERNEL32.DLL+169c0|C:\Users\Administrator\Downloads\procexp64.exe+a8288|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x80000000000000001954623Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:51.335{D25361F1-33B6-6307-7B00-000000007602}2184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E2EF701B2CE9409CFF3BB24FBDF8B747,SHA256=DDA7F1B9C655E5BF50C60A8BEC85E376F4AA5854B538884015B05ABCE555DD9A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000663307Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-25 10:59:52.989{F6DB49F2-33A2-6307-6D00-000000007702}3760NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=75913D18B6FC79F84A9206220C346824,SHA256=A4F44381282780E1A444CB2013BF7C55C63BCE460ED650E6F5D68B271A315E3E,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001954762Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:51.418{D25361F1-3390-6307-0B00-000000007602}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-854.attackrange.local64279-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-854.attackrange.local389ldap 354300x80000000000000001954761Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:51.418{D25361F1-33A3-6307-2800-000000007602}2568C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-854.attackrange.local64279-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-854.attackrange.local389ldap 23542300x80000000000000001954760Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:52.923{D25361F1-33B6-6307-7B00-000000007602}2184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=02EAC53DF45660941FE16A5446404D65,SHA256=3B91B8B03ABE83A66C77BC2F5499855150EDAEB79C5801F312CB9ABA779CE20D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001954759Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:52.388{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-52AD-6307-E404-000000007602}7476C:\Windows\SYSTEM32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954758Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:52.388{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-4AD7-6307-F503-000000007602}6996C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954757Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:52.388{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-4AD1-6307-F403-000000007602}7488C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954756Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:52.388{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-4AD0-6307-F303-000000007602}9620C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954755Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:52.388{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-4AB4-6307-EB03-000000007602}6088C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954754Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:52.388{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-4A8F-6307-EA03-000000007602}6404C:\Windows\system32\wbem\wmiprvse.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954753Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:52.388{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-49F6-6307-CD03-000000007602}7868C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954752Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:52.388{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-436A-6307-0703-000000007602}6260C:\Program Files\IDA Freeware 8.0\ida64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954751Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:52.388{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-4210-6307-D702-000000007602}7048C:\Windows\System32\win32calc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954750Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:52.388{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-37A5-6307-3901-000000007602}6588C:\Windows\ImmersiveControlPanel\SystemSettings.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954749Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:52.388{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-37A2-6307-3301-000000007602}5680C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954748Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:52.388{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-37A2-6307-3201-000000007602}3700C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954747Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:52.388{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-37A1-6307-3101-000000007602}4360C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954746Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:52.388{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-37A1-6307-3001-000000007602}5144C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954745Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:52.388{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-37A0-6307-2F01-000000007602}4596C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954744Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:52.388{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-361E-6307-FB00-000000007602}6112C:\Users\Administrator\Downloads\Procmon64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954743Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:52.388{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-35FB-6307-F000-000000007602}4288C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954742Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:52.388{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-35FB-6307-EF00-000000007602}4276C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954741Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:52.388{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-35E9-6307-E200-000000007602}5316C:\Program Files\Aurora-Agent\aurora-agent.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954740Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:52.388{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-35E2-6307-E000-000000007602}4860C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954739Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:52.388{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-35E2-6307-DF00-000000007602}4184C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954738Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:52.388{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-35E0-6307-DE00-000000007602}5008C:\Windows\Explorer.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954737Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:52.388{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-35E0-6307-D600-000000007602}4472C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954736Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:52.388{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-35E0-6307-D300-000000007602}4392C:\Windows\System32\rdpclip.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954735Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:52.388{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-35DE-6307-D000-000000007602}3896C:\Windows\system32\dwm.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954734Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:52.388{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-35DD-6307-CE00-000000007602}764C:\Windows\system32\winlogon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954733Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:52.388{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-35DD-6307-CD00-000000007602}1324C:\Windows\system32\csrss.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5d64|C:\Windows\System32\KERNELBASE.dll+25803|C:\Windows\System32\KERNEL32.DLL+169c0|C:\Users\Administrator\Downloads\procexp64.exe+a8288|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954732Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:52.388{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-341E-6307-8900-000000007602}3136C:\Windows\System32\msdtc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954731Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:52.388{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33B6-6307-7B00-000000007602}2184C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954730Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:52.388{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33AF-6307-7100-000000007602}3892C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954729Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:52.388{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A5-6307-4500-000000007602}3548C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954728Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:52.388{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A5-6307-4100-000000007602}3460C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954727Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:52.388{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A4-6307-3A00-000000007602}3188C:\Windows\System32\vds.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954726Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:52.388{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A4-6307-3700-000000007602}3120C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954725Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:52.388{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A3-6307-3100-000000007602}2960C:\Windows\system32\wbem\unsecapp.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954724Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:52.388{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A3-6307-2F00-000000007602}2772C:\Windows\system32\DFSRs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954723Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:52.388{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A3-6307-2E00-000000007602}2764C:\Windows\system32\dfssvc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954722Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:52.388{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A3-6307-2D00-000000007602}2752C:\Windows\System32\ismserv.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954721Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:52.388{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A3-6307-2C00-000000007602}2604C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954720Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:52.388{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A3-6307-2B00-000000007602}2596C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954719Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:52.388{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A3-6307-2900-000000007602}2580C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954718Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:52.388{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A3-6307-2800-000000007602}2568C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954717Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:52.388{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A3-6307-2700-000000007602}2560C:\Windows\system32\dns.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954716Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:52.388{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A3-6307-2600-000000007602}2552C:\Windows\sysmon64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954715Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:52.388{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A3-6307-2500-000000007602}2476C:\Windows\System32\spoolsv.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954714Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:52.388{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-339C-6307-2300-000000007602}2332C:\Windows\System32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954713Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:52.388{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3393-6307-1D00-000000007602}2088C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954712Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:52.388{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3393-6307-1700-000000007602}1396C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954711Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:52.388{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3393-6307-1600-000000007602}1308C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954710Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:52.388{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3392-6307-1500-000000007602}1256C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954709Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:52.388{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3392-6307-1400-000000007602}1084C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954708Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:52.388{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3392-6307-1300-000000007602}928C:\Windows\system32\dwm.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954707Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:52.388{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3392-6307-1200-000000007602}484C:\Windows\System32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954706Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:52.388{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3392-6307-1100-000000007602}420C:\Windows\System32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954705Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:52.388{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3392-6307-1000-000000007602}440C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954704Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:52.388{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3392-6307-0F00-000000007602}108C:\Windows\System32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954703Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:52.388{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3392-6307-0E00-000000007602}996C:\Windows\system32\LogonUI.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954702Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:52.388{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3392-6307-0D00-000000007602}892C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954701Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:52.388{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3392-6307-0C00-000000007602}836C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954700Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:52.388{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3390-6307-0B00-000000007602}632C:\Windows\system32\lsass.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954699Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:52.388{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3390-6307-0A00-000000007602}624C:\Windows\system32\services.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5d64|C:\Windows\System32\KERNELBASE.dll+25803|C:\Windows\System32\KERNEL32.DLL+169c0|C:\Users\Administrator\Downloads\procexp64.exe+a8288|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954698Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:52.388{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3390-6307-0900-000000007602}572C:\Windows\system32\winlogon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954697Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:52.388{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3390-6307-0800-000000007602}496C:\Windows\system32\csrss.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5d64|C:\Windows\System32\KERNELBASE.dll+25803|C:\Windows\System32\KERNEL32.DLL+169c0|C:\Users\Administrator\Downloads\procexp64.exe+a8288|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954696Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:52.388{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3390-6307-0700-000000007602}488C:\Windows\system32\wininit.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5d64|C:\Windows\System32\KERNELBASE.dll+25803|C:\Windows\System32\KERNEL32.DLL+169c0|C:\Users\Administrator\Downloads\procexp64.exe+a8288|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954695Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:52.388{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3390-6307-0500-000000007602}416C:\Windows\system32\csrss.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5d64|C:\Windows\System32\KERNELBASE.dll+25803|C:\Windows\System32\KERNEL32.DLL+169c0|C:\Users\Administrator\Downloads\procexp64.exe+a8288|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954694Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:52.388{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-338D-6307-0200-000000007602}320C:\Windows\System32\smss.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5d64|C:\Windows\System32\KERNELBASE.dll+25803|C:\Windows\System32\KERNEL32.DLL+169c0|C:\Users\Administrator\Downloads\procexp64.exe+a8288|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954693Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:52.388{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-338D-6307-0100-000000007602}4System0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5d64|C:\Windows\System32\KERNELBASE.dll+25803|C:\Windows\System32\KERNEL32.DLL+169c0|C:\Users\Administrator\Downloads\procexp64.exe+a8288|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x80000000000000001954832Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:51.995{D25361F1-3392-6307-0F00-000000007602}108C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse34.223.106.200ec2-34-223-106-200.us-west-2.compute.amazonaws.com59667-false10.0.1.14win-dc-ctus-attack-range-854.attackrange.local3389ms-wbt-server 354300x80000000000000001954831Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:51.733{D25361F1-33AF-6307-7100-000000007602}3892C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-854.attackrange.local64280-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x80000000000000001954830Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:53.519{D25361F1-33B6-6307-7B00-000000007602}2184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D652023C59CEF48A231237D0AE276348,SHA256=42A742000A1AF4D90FD52E676A01FF6DAA054AE64A76486DC0B99A0AC51BB260,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001954829Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:53.388{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-52AD-6307-E404-000000007602}7476C:\Windows\SYSTEM32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954828Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:53.388{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-4AD7-6307-F503-000000007602}6996C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954827Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:53.388{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-4AD1-6307-F403-000000007602}7488C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954826Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:53.388{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-4AD0-6307-F303-000000007602}9620C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954825Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:53.388{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-4AB4-6307-EB03-000000007602}6088C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954824Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:53.388{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-4A8F-6307-EA03-000000007602}6404C:\Windows\system32\wbem\wmiprvse.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954823Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:53.388{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-49F6-6307-CD03-000000007602}7868C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954822Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:53.388{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-436A-6307-0703-000000007602}6260C:\Program Files\IDA Freeware 8.0\ida64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954821Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:53.388{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-4210-6307-D702-000000007602}7048C:\Windows\System32\win32calc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954820Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:53.388{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-37A5-6307-3901-000000007602}6588C:\Windows\ImmersiveControlPanel\SystemSettings.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954819Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:53.388{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-37A2-6307-3301-000000007602}5680C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954818Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:53.388{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-37A2-6307-3201-000000007602}3700C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954817Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:53.388{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-37A1-6307-3101-000000007602}4360C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954816Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:53.388{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-37A1-6307-3001-000000007602}5144C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954815Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:53.388{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-37A0-6307-2F01-000000007602}4596C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954814Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:53.388{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-361E-6307-FB00-000000007602}6112C:\Users\Administrator\Downloads\Procmon64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954813Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:53.388{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-35FB-6307-F000-000000007602}4288C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954812Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:53.388{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-35FB-6307-EF00-000000007602}4276C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954811Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:53.388{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-35E9-6307-E200-000000007602}5316C:\Program Files\Aurora-Agent\aurora-agent.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954810Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:53.388{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-35E2-6307-E000-000000007602}4860C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954809Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:53.388{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-35E2-6307-DF00-000000007602}4184C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954808Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:53.388{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-35E0-6307-DE00-000000007602}5008C:\Windows\Explorer.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954807Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:53.388{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-35E0-6307-D600-000000007602}4472C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954806Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:53.388{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-35E0-6307-D300-000000007602}4392C:\Windows\System32\rdpclip.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954805Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:53.388{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-35DE-6307-D000-000000007602}3896C:\Windows\system32\dwm.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954804Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:53.388{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-35DD-6307-CE00-000000007602}764C:\Windows\system32\winlogon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954803Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:53.388{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-35DD-6307-CD00-000000007602}1324C:\Windows\system32\csrss.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5d64|C:\Windows\System32\KERNELBASE.dll+25803|C:\Windows\System32\KERNEL32.DLL+169c0|C:\Users\Administrator\Downloads\procexp64.exe+a8288|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954802Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:53.388{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-341E-6307-8900-000000007602}3136C:\Windows\System32\msdtc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954801Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:53.388{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33B6-6307-7B00-000000007602}2184C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954800Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:53.388{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33AF-6307-7100-000000007602}3892C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954799Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:53.388{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A5-6307-4500-000000007602}3548C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954798Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:53.388{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A5-6307-4100-000000007602}3460C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954797Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:53.388{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A4-6307-3A00-000000007602}3188C:\Windows\System32\vds.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954796Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:53.388{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A4-6307-3700-000000007602}3120C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954795Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:53.388{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A3-6307-3100-000000007602}2960C:\Windows\system32\wbem\unsecapp.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954794Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:53.388{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A3-6307-2F00-000000007602}2772C:\Windows\system32\DFSRs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954793Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:53.388{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A3-6307-2E00-000000007602}2764C:\Windows\system32\dfssvc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954792Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:53.388{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A3-6307-2D00-000000007602}2752C:\Windows\System32\ismserv.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954791Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:53.388{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A3-6307-2C00-000000007602}2604C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954790Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:53.388{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A3-6307-2B00-000000007602}2596C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954789Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:53.388{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A3-6307-2900-000000007602}2580C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954788Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:53.388{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A3-6307-2800-000000007602}2568C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954787Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:53.388{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A3-6307-2700-000000007602}2560C:\Windows\system32\dns.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954786Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:53.388{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A3-6307-2600-000000007602}2552C:\Windows\sysmon64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954785Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:53.388{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A3-6307-2500-000000007602}2476C:\Windows\System32\spoolsv.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954784Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:53.388{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-339C-6307-2300-000000007602}2332C:\Windows\System32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954783Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:53.388{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3393-6307-1D00-000000007602}2088C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954782Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:53.388{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3393-6307-1700-000000007602}1396C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954781Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:53.388{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3393-6307-1600-000000007602}1308C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954780Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:53.388{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3392-6307-1500-000000007602}1256C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954779Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:53.388{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3392-6307-1400-000000007602}1084C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954778Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:53.388{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3392-6307-1300-000000007602}928C:\Windows\system32\dwm.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954777Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:53.388{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3392-6307-1200-000000007602}484C:\Windows\System32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954776Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:53.388{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3392-6307-1100-000000007602}420C:\Windows\System32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954775Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:53.388{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3392-6307-1000-000000007602}440C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954774Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:53.388{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3392-6307-0F00-000000007602}108C:\Windows\System32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954773Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:53.388{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3392-6307-0E00-000000007602}996C:\Windows\system32\LogonUI.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954772Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:53.388{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3392-6307-0D00-000000007602}892C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954771Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:53.388{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3392-6307-0C00-000000007602}836C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954770Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:53.388{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3390-6307-0B00-000000007602}632C:\Windows\system32\lsass.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954769Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:53.388{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3390-6307-0A00-000000007602}624C:\Windows\system32\services.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5d64|C:\Windows\System32\KERNELBASE.dll+25803|C:\Windows\System32\KERNEL32.DLL+169c0|C:\Users\Administrator\Downloads\procexp64.exe+a8288|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954768Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:53.388{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3390-6307-0900-000000007602}572C:\Windows\system32\winlogon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954767Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:53.388{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3390-6307-0800-000000007602}496C:\Windows\system32\csrss.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5d64|C:\Windows\System32\KERNELBASE.dll+25803|C:\Windows\System32\KERNEL32.DLL+169c0|C:\Users\Administrator\Downloads\procexp64.exe+a8288|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954766Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:53.388{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3390-6307-0700-000000007602}488C:\Windows\system32\wininit.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5d64|C:\Windows\System32\KERNELBASE.dll+25803|C:\Windows\System32\KERNEL32.DLL+169c0|C:\Users\Administrator\Downloads\procexp64.exe+a8288|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954765Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:53.388{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3390-6307-0500-000000007602}416C:\Windows\system32\csrss.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5d64|C:\Windows\System32\KERNELBASE.dll+25803|C:\Windows\System32\KERNEL32.DLL+169c0|C:\Users\Administrator\Downloads\procexp64.exe+a8288|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954764Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:53.388{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-338D-6307-0200-000000007602}320C:\Windows\System32\smss.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5d64|C:\Windows\System32\KERNELBASE.dll+25803|C:\Windows\System32\KERNEL32.DLL+169c0|C:\Users\Administrator\Downloads\procexp64.exe+a8288|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954763Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:53.388{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-338D-6307-0100-000000007602}4System0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5d64|C:\Windows\System32\KERNELBASE.dll+25803|C:\Windows\System32\KERNEL32.DLL+169c0|C:\Users\Administrator\Downloads\procexp64.exe+a8288|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000663310Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-25 10:59:53.295{F6DB49F2-339B-6307-6200-000000007702}3336C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal51443-false10.0.1.12-8000- 354300x8000000000000000663309Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-25 10:59:52.820{F6DB49F2-338F-6307-1000-000000007702}932C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse34.223.106.200ec2-34-223-106-200.us-west-2.compute.amazonaws.com59860-false10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal3389ms-wbt-server 23542300x8000000000000000663308Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-25 10:59:54.077{F6DB49F2-33A2-6307-6D00-000000007702}3760NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2FE4175B2235F10727D34BECCE77A6F6,SHA256=2B5352729A3955A7BB4CACAF234184E736108CE5E0C6DEB0BC5F6D6614A38294,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001955022Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:54.740{D25361F1-33B6-6307-7B00-000000007602}2184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A15C5F1C81B7F44443AE95B98D21E9EE,SHA256=232655BB3C43AE10FE1D2AD41E13FF1A3DD83A99809C5A3DC46239C47049DB53,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001955021Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:54.508{D25361F1-33B6-6307-7B00-000000007602}2184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9855C9A63D0B0949348254686C28D1E7,SHA256=9B28FC34B86152E0CDA417703C208EA180372111463CEB5F77ECDD4D25E65E10,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001955020Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:54.424{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-52AD-6307-E404-000000007602}7476C:\Windows\SYSTEM32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001955019Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:54.424{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-4AD7-6307-F503-000000007602}6996C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001955018Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:54.424{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-4AD1-6307-F403-000000007602}7488C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001955017Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:54.424{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-4AD0-6307-F303-000000007602}9620C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001955016Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:54.424{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-4AB4-6307-EB03-000000007602}6088C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001955015Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:54.424{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-4A8F-6307-EA03-000000007602}6404C:\Windows\system32\wbem\wmiprvse.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001955014Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:54.424{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-49F6-6307-CD03-000000007602}7868C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001955013Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:54.424{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-436A-6307-0703-000000007602}6260C:\Program Files\IDA Freeware 8.0\ida64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001955012Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:54.424{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-4210-6307-D702-000000007602}7048C:\Windows\System32\win32calc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001955011Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:54.424{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-37A5-6307-3901-000000007602}6588C:\Windows\ImmersiveControlPanel\SystemSettings.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001955010Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:54.424{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-37A2-6307-3301-000000007602}5680C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001955009Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:54.424{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-37A2-6307-3201-000000007602}3700C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001955008Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:54.424{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-37A1-6307-3101-000000007602}4360C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001955007Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:54.424{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-37A1-6307-3001-000000007602}5144C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001955006Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:54.424{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-37A0-6307-2F01-000000007602}4596C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001955005Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:54.424{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-361E-6307-FB00-000000007602}6112C:\Users\Administrator\Downloads\Procmon64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001955004Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:54.424{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-35FB-6307-F000-000000007602}4288C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001955003Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:54.424{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-35FB-6307-EF00-000000007602}4276C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001955002Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:54.424{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-35E9-6307-E200-000000007602}5316C:\Program Files\Aurora-Agent\aurora-agent.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001955001Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:54.424{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-35E2-6307-E000-000000007602}4860C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001955000Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:54.424{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-35E2-6307-DF00-000000007602}4184C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954999Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:54.424{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-35E0-6307-DE00-000000007602}5008C:\Windows\Explorer.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954998Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:54.423{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-35E0-6307-D600-000000007602}4472C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954997Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:54.423{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-35E0-6307-D300-000000007602}4392C:\Windows\System32\rdpclip.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954996Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:54.423{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-35DE-6307-D000-000000007602}3896C:\Windows\system32\dwm.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954995Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:54.422{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-35DD-6307-CE00-000000007602}764C:\Windows\system32\winlogon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954994Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:54.422{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-35DD-6307-CD00-000000007602}1324C:\Windows\system32\csrss.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5d64|C:\Windows\System32\KERNELBASE.dll+25803|C:\Windows\System32\KERNEL32.DLL+169c0|C:\Users\Administrator\Downloads\procexp64.exe+a8288|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954993Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:54.422{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-341E-6307-8900-000000007602}3136C:\Windows\System32\msdtc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954992Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:54.422{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33B6-6307-7B00-000000007602}2184C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954991Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:54.422{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33AF-6307-7100-000000007602}3892C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954990Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:54.422{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A5-6307-4500-000000007602}3548C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954989Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:54.422{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A5-6307-4100-000000007602}3460C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954988Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:54.422{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A4-6307-3A00-000000007602}3188C:\Windows\System32\vds.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954987Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:54.421{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A4-6307-3700-000000007602}3120C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954986Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:54.421{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A3-6307-3100-000000007602}2960C:\Windows\system32\wbem\unsecapp.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954985Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:54.421{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A3-6307-2F00-000000007602}2772C:\Windows\system32\DFSRs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954984Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:54.421{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A3-6307-2E00-000000007602}2764C:\Windows\system32\dfssvc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954983Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:54.421{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A3-6307-2D00-000000007602}2752C:\Windows\System32\ismserv.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954982Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:54.421{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A3-6307-2C00-000000007602}2604C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954981Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:54.421{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A3-6307-2B00-000000007602}2596C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954980Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:54.421{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A3-6307-2900-000000007602}2580C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954979Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:54.420{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-52AD-6307-E404-000000007602}7476C:\Windows\SYSTEM32\notepad.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12170|C:\Windows\System32\advapi32.dll+117c5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Users\Administrator\Downloads\procexp64.exe+7915d|C:\Users\Administrator\Downloads\procexp64.exe+a926e|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954978Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:54.420{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-52AD-6307-E404-000000007602}7476C:\Windows\SYSTEM32\notepad.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12170|C:\Windows\System32\advapi32.dll+117c5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Users\Administrator\Downloads\procexp64.exe+7915d|C:\Users\Administrator\Downloads\procexp64.exe+a926e|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954977Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:54.420{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-4AD7-6307-F503-000000007602}6996C:\Program Files\Mozilla Firefox\firefox.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12170|C:\Windows\System32\advapi32.dll+117c5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Users\Administrator\Downloads\procexp64.exe+7915d|C:\Users\Administrator\Downloads\procexp64.exe+a926e|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954976Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:54.420{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-4AD7-6307-F503-000000007602}6996C:\Program Files\Mozilla Firefox\firefox.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12170|C:\Windows\System32\advapi32.dll+117c5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Users\Administrator\Downloads\procexp64.exe+7915d|C:\Users\Administrator\Downloads\procexp64.exe+a926e|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954975Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:54.420{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-4AD1-6307-F403-000000007602}7488C:\Program Files\Mozilla Firefox\firefox.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12170|C:\Windows\System32\advapi32.dll+117c5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Users\Administrator\Downloads\procexp64.exe+7915d|C:\Users\Administrator\Downloads\procexp64.exe+a926e|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954974Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:54.419{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-4AD1-6307-F403-000000007602}7488C:\Program Files\Mozilla Firefox\firefox.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12170|C:\Windows\System32\advapi32.dll+117c5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Users\Administrator\Downloads\procexp64.exe+7915d|C:\Users\Administrator\Downloads\procexp64.exe+a926e|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954973Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:54.419{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-4AD0-6307-F303-000000007602}9620C:\Program Files\Mozilla Firefox\firefox.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12170|C:\Windows\System32\advapi32.dll+117c5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Users\Administrator\Downloads\procexp64.exe+7915d|C:\Users\Administrator\Downloads\procexp64.exe+a926e|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954972Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:54.419{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-4AD0-6307-F303-000000007602}9620C:\Program Files\Mozilla Firefox\firefox.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12170|C:\Windows\System32\advapi32.dll+117c5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Users\Administrator\Downloads\procexp64.exe+7915d|C:\Users\Administrator\Downloads\procexp64.exe+a926e|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954971Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:54.419{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-4AB4-6307-EB03-000000007602}6088C:\Program Files\Mozilla Firefox\firefox.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12170|C:\Windows\System32\advapi32.dll+117c5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Users\Administrator\Downloads\procexp64.exe+7915d|C:\Users\Administrator\Downloads\procexp64.exe+a926e|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954970Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:54.419{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-4AB4-6307-EB03-000000007602}6088C:\Program Files\Mozilla Firefox\firefox.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12170|C:\Windows\System32\advapi32.dll+117c5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Users\Administrator\Downloads\procexp64.exe+7915d|C:\Users\Administrator\Downloads\procexp64.exe+a926e|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954969Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:54.419{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-4A8F-6307-EA03-000000007602}6404C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12170|C:\Windows\System32\advapi32.dll+117c5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Users\Administrator\Downloads\procexp64.exe+7915d|C:\Users\Administrator\Downloads\procexp64.exe+a926e|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954968Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:54.419{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-4A8F-6307-EA03-000000007602}6404C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12170|C:\Windows\System32\advapi32.dll+117c5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Users\Administrator\Downloads\procexp64.exe+7915d|C:\Users\Administrator\Downloads\procexp64.exe+a926e|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954967Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:54.419{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-49F6-6307-CD03-000000007602}7868C:\Program Files\Mozilla Firefox\firefox.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12170|C:\Windows\System32\advapi32.dll+117c5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Users\Administrator\Downloads\procexp64.exe+7915d|C:\Users\Administrator\Downloads\procexp64.exe+a926e|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954966Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:54.419{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-49F6-6307-CD03-000000007602}7868C:\Program Files\Mozilla Firefox\firefox.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12170|C:\Windows\System32\advapi32.dll+117c5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Users\Administrator\Downloads\procexp64.exe+7915d|C:\Users\Administrator\Downloads\procexp64.exe+a926e|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954965Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:54.419{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-436A-6307-0703-000000007602}6260C:\Program Files\IDA Freeware 8.0\ida64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12170|C:\Windows\System32\advapi32.dll+117c5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Users\Administrator\Downloads\procexp64.exe+7915d|C:\Users\Administrator\Downloads\procexp64.exe+a926e|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954964Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:54.419{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-436A-6307-0703-000000007602}6260C:\Program Files\IDA Freeware 8.0\ida64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12170|C:\Windows\System32\advapi32.dll+117c5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Users\Administrator\Downloads\procexp64.exe+7915d|C:\Users\Administrator\Downloads\procexp64.exe+a926e|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954963Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:54.419{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-4210-6307-D702-000000007602}7048C:\Windows\System32\win32calc.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12170|C:\Windows\System32\advapi32.dll+117c5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Users\Administrator\Downloads\procexp64.exe+7915d|C:\Users\Administrator\Downloads\procexp64.exe+a926e|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954962Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:54.419{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-4210-6307-D702-000000007602}7048C:\Windows\System32\win32calc.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12170|C:\Windows\System32\advapi32.dll+117c5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Users\Administrator\Downloads\procexp64.exe+7915d|C:\Users\Administrator\Downloads\procexp64.exe+a926e|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954961Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:54.418{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-37A5-6307-3901-000000007602}6588C:\Windows\ImmersiveControlPanel\SystemSettings.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12170|C:\Windows\System32\advapi32.dll+117c5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Users\Administrator\Downloads\procexp64.exe+7915d|C:\Users\Administrator\Downloads\procexp64.exe+a926e|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954960Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:54.418{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-37A5-6307-3901-000000007602}6588C:\Windows\ImmersiveControlPanel\SystemSettings.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12170|C:\Windows\System32\advapi32.dll+117c5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Users\Administrator\Downloads\procexp64.exe+7915d|C:\Users\Administrator\Downloads\procexp64.exe+a926e|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954959Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:54.402{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-37A2-6307-3301-000000007602}5680C:\Program Files\Mozilla Firefox\firefox.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12170|C:\Windows\System32\advapi32.dll+117c5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Users\Administrator\Downloads\procexp64.exe+7915d|C:\Users\Administrator\Downloads\procexp64.exe+a926e|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954958Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:54.402{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-37A2-6307-3301-000000007602}5680C:\Program Files\Mozilla Firefox\firefox.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12170|C:\Windows\System32\advapi32.dll+117c5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Users\Administrator\Downloads\procexp64.exe+7915d|C:\Users\Administrator\Downloads\procexp64.exe+a926e|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954957Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:54.402{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-37A2-6307-3201-000000007602}3700C:\Program Files\Mozilla Firefox\firefox.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12170|C:\Windows\System32\advapi32.dll+117c5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Users\Administrator\Downloads\procexp64.exe+7915d|C:\Users\Administrator\Downloads\procexp64.exe+a926e|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954956Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:54.402{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-37A2-6307-3201-000000007602}3700C:\Program Files\Mozilla Firefox\firefox.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12170|C:\Windows\System32\advapi32.dll+117c5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Users\Administrator\Downloads\procexp64.exe+7915d|C:\Users\Administrator\Downloads\procexp64.exe+a926e|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954955Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:54.402{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-37A1-6307-3101-000000007602}4360C:\Program Files\Mozilla Firefox\firefox.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12170|C:\Windows\System32\advapi32.dll+117c5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Users\Administrator\Downloads\procexp64.exe+7915d|C:\Users\Administrator\Downloads\procexp64.exe+a926e|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954954Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:54.402{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-37A1-6307-3101-000000007602}4360C:\Program Files\Mozilla Firefox\firefox.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12170|C:\Windows\System32\advapi32.dll+117c5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Users\Administrator\Downloads\procexp64.exe+7915d|C:\Users\Administrator\Downloads\procexp64.exe+a926e|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954953Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:54.402{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-37A1-6307-3001-000000007602}5144C:\Program Files\Mozilla Firefox\firefox.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12170|C:\Windows\System32\advapi32.dll+117c5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Users\Administrator\Downloads\procexp64.exe+7915d|C:\Users\Administrator\Downloads\procexp64.exe+a926e|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954952Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:54.402{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-37A1-6307-3001-000000007602}5144C:\Program Files\Mozilla Firefox\firefox.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12170|C:\Windows\System32\advapi32.dll+117c5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Users\Administrator\Downloads\procexp64.exe+7915d|C:\Users\Administrator\Downloads\procexp64.exe+a926e|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954951Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:54.402{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-37A0-6307-2F01-000000007602}4596C:\Program Files\Mozilla Firefox\firefox.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12170|C:\Windows\System32\advapi32.dll+117c5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Users\Administrator\Downloads\procexp64.exe+7915d|C:\Users\Administrator\Downloads\procexp64.exe+a926e|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954950Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:54.402{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-37A0-6307-2F01-000000007602}4596C:\Program Files\Mozilla Firefox\firefox.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12170|C:\Windows\System32\advapi32.dll+117c5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Users\Administrator\Downloads\procexp64.exe+7915d|C:\Users\Administrator\Downloads\procexp64.exe+a926e|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954949Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:54.402{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-361E-6307-FB00-000000007602}6112C:\Users\Administrator\Downloads\Procmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12170|C:\Windows\System32\advapi32.dll+117c5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Users\Administrator\Downloads\procexp64.exe+7915d|C:\Users\Administrator\Downloads\procexp64.exe+a926e|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954948Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:54.402{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-361E-6307-FB00-000000007602}6112C:\Users\Administrator\Downloads\Procmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12170|C:\Windows\System32\advapi32.dll+117c5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Users\Administrator\Downloads\procexp64.exe+7915d|C:\Users\Administrator\Downloads\procexp64.exe+a926e|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954947Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:54.402{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-35FB-6307-F000-000000007602}4288C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12170|C:\Windows\System32\advapi32.dll+117c5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Users\Administrator\Downloads\procexp64.exe+7915d|C:\Users\Administrator\Downloads\procexp64.exe+a926e|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954946Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:54.402{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-35FB-6307-F000-000000007602}4288C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12170|C:\Windows\System32\advapi32.dll+117c5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Users\Administrator\Downloads\procexp64.exe+7915d|C:\Users\Administrator\Downloads\procexp64.exe+a926e|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954945Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:54.402{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-35FB-6307-EF00-000000007602}4276C:\Windows\system32\cmd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12170|C:\Windows\System32\advapi32.dll+117c5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Users\Administrator\Downloads\procexp64.exe+7915d|C:\Users\Administrator\Downloads\procexp64.exe+a926e|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954944Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:54.402{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-35FB-6307-EF00-000000007602}4276C:\Windows\system32\cmd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12170|C:\Windows\System32\advapi32.dll+117c5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Users\Administrator\Downloads\procexp64.exe+7915d|C:\Users\Administrator\Downloads\procexp64.exe+a926e|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954943Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:54.402{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-35E9-6307-E200-000000007602}5316C:\Program Files\Aurora-Agent\aurora-agent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12170|C:\Windows\System32\advapi32.dll+117c5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Users\Administrator\Downloads\procexp64.exe+7915d|C:\Users\Administrator\Downloads\procexp64.exe+a926e|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954942Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:54.402{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-35E9-6307-E200-000000007602}5316C:\Program Files\Aurora-Agent\aurora-agent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12170|C:\Windows\System32\advapi32.dll+117c5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Users\Administrator\Downloads\procexp64.exe+7915d|C:\Users\Administrator\Downloads\procexp64.exe+a926e|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954941Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:54.402{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-35E2-6307-E000-000000007602}4860C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12170|C:\Windows\System32\advapi32.dll+117c5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Users\Administrator\Downloads\procexp64.exe+7915d|C:\Users\Administrator\Downloads\procexp64.exe+a926e|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954940Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:54.402{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-35E2-6307-E000-000000007602}4860C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12170|C:\Windows\System32\advapi32.dll+117c5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Users\Administrator\Downloads\procexp64.exe+7915d|C:\Users\Administrator\Downloads\procexp64.exe+a926e|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954939Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:54.402{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-35E2-6307-DF00-000000007602}4184C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12170|C:\Windows\System32\advapi32.dll+117c5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Users\Administrator\Downloads\procexp64.exe+7915d|C:\Users\Administrator\Downloads\procexp64.exe+a926e|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954938Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:54.402{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-35E2-6307-DF00-000000007602}4184C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12170|C:\Windows\System32\advapi32.dll+117c5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Users\Administrator\Downloads\procexp64.exe+7915d|C:\Users\Administrator\Downloads\procexp64.exe+a926e|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954937Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:54.402{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-35E0-6307-DE00-000000007602}5008C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12170|C:\Windows\System32\advapi32.dll+117c5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Users\Administrator\Downloads\procexp64.exe+7915d|C:\Users\Administrator\Downloads\procexp64.exe+a926e|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954936Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:54.402{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-35E0-6307-DE00-000000007602}5008C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12170|C:\Windows\System32\advapi32.dll+117c5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Users\Administrator\Downloads\procexp64.exe+7915d|C:\Users\Administrator\Downloads\procexp64.exe+a926e|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954935Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:54.402{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-35E0-6307-D600-000000007602}4472C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12170|C:\Windows\System32\advapi32.dll+117c5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Users\Administrator\Downloads\procexp64.exe+7915d|C:\Users\Administrator\Downloads\procexp64.exe+a926e|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954934Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:54.402{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-35E0-6307-D600-000000007602}4472C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12170|C:\Windows\System32\advapi32.dll+117c5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Users\Administrator\Downloads\procexp64.exe+7915d|C:\Users\Administrator\Downloads\procexp64.exe+a926e|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954933Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:54.402{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-35E0-6307-D300-000000007602}4392C:\Windows\System32\rdpclip.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12170|C:\Windows\System32\advapi32.dll+117c5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Users\Administrator\Downloads\procexp64.exe+7915d|C:\Users\Administrator\Downloads\procexp64.exe+a926e|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954932Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:54.402{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-35E0-6307-D300-000000007602}4392C:\Windows\System32\rdpclip.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12170|C:\Windows\System32\advapi32.dll+117c5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Users\Administrator\Downloads\procexp64.exe+7915d|C:\Users\Administrator\Downloads\procexp64.exe+a926e|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954931Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:54.402{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-35DE-6307-D000-000000007602}3896C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12170|C:\Windows\System32\advapi32.dll+117c5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Users\Administrator\Downloads\procexp64.exe+7915d|C:\Users\Administrator\Downloads\procexp64.exe+a926e|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954930Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:54.402{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-35DE-6307-D000-000000007602}3896C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12170|C:\Windows\System32\advapi32.dll+117c5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Users\Administrator\Downloads\procexp64.exe+7915d|C:\Users\Administrator\Downloads\procexp64.exe+a926e|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954929Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:54.402{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-35DD-6307-CE00-000000007602}764C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12170|C:\Windows\System32\advapi32.dll+117c5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Users\Administrator\Downloads\procexp64.exe+7915d|C:\Users\Administrator\Downloads\procexp64.exe+a926e|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954928Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:54.402{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-35DD-6307-CE00-000000007602}764C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12170|C:\Windows\System32\advapi32.dll+117c5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Users\Administrator\Downloads\procexp64.exe+7915d|C:\Users\Administrator\Downloads\procexp64.exe+a926e|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954927Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:54.402{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-341E-6307-8900-000000007602}3136C:\Windows\System32\msdtc.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12170|C:\Windows\System32\advapi32.dll+117c5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Users\Administrator\Downloads\procexp64.exe+7915d|C:\Users\Administrator\Downloads\procexp64.exe+a926e|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954926Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:54.402{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-341E-6307-8900-000000007602}3136C:\Windows\System32\msdtc.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12170|C:\Windows\System32\advapi32.dll+117c5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Users\Administrator\Downloads\procexp64.exe+7915d|C:\Users\Administrator\Downloads\procexp64.exe+a926e|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954925Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:54.402{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33B6-6307-7B00-000000007602}2184C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12170|C:\Windows\System32\advapi32.dll+117c5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Users\Administrator\Downloads\procexp64.exe+7915d|C:\Users\Administrator\Downloads\procexp64.exe+a926e|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954924Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:54.402{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33B6-6307-7B00-000000007602}2184C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12170|C:\Windows\System32\advapi32.dll+117c5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Users\Administrator\Downloads\procexp64.exe+7915d|C:\Users\Administrator\Downloads\procexp64.exe+a926e|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954923Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:54.402{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33AF-6307-7100-000000007602}3892C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12170|C:\Windows\System32\advapi32.dll+117c5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Users\Administrator\Downloads\procexp64.exe+7915d|C:\Users\Administrator\Downloads\procexp64.exe+a926e|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954922Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:54.402{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33AF-6307-7100-000000007602}3892C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12170|C:\Windows\System32\advapi32.dll+117c5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Users\Administrator\Downloads\procexp64.exe+7915d|C:\Users\Administrator\Downloads\procexp64.exe+a926e|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954921Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:54.402{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A5-6307-4500-000000007602}3548C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12170|C:\Windows\System32\advapi32.dll+117c5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Users\Administrator\Downloads\procexp64.exe+7915d|C:\Users\Administrator\Downloads\procexp64.exe+a926e|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954920Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:54.402{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A5-6307-4500-000000007602}3548C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12170|C:\Windows\System32\advapi32.dll+117c5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Users\Administrator\Downloads\procexp64.exe+7915d|C:\Users\Administrator\Downloads\procexp64.exe+a926e|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954919Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:54.402{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A5-6307-4100-000000007602}3460C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12170|C:\Windows\System32\advapi32.dll+117c5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Users\Administrator\Downloads\procexp64.exe+7915d|C:\Users\Administrator\Downloads\procexp64.exe+a926e|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954918Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:54.402{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A5-6307-4100-000000007602}3460C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12170|C:\Windows\System32\advapi32.dll+117c5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Users\Administrator\Downloads\procexp64.exe+7915d|C:\Users\Administrator\Downloads\procexp64.exe+a926e|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954917Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:54.402{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A4-6307-3A00-000000007602}3188C:\Windows\System32\vds.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12170|C:\Windows\System32\advapi32.dll+117c5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Users\Administrator\Downloads\procexp64.exe+7915d|C:\Users\Administrator\Downloads\procexp64.exe+a926e|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954916Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:54.402{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A4-6307-3A00-000000007602}3188C:\Windows\System32\vds.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12170|C:\Windows\System32\advapi32.dll+117c5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Users\Administrator\Downloads\procexp64.exe+7915d|C:\Users\Administrator\Downloads\procexp64.exe+a926e|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954915Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:54.402{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A4-6307-3700-000000007602}3120C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12170|C:\Windows\System32\advapi32.dll+117c5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Users\Administrator\Downloads\procexp64.exe+7915d|C:\Users\Administrator\Downloads\procexp64.exe+a926e|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954914Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:54.402{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A4-6307-3700-000000007602}3120C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12170|C:\Windows\System32\advapi32.dll+117c5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Users\Administrator\Downloads\procexp64.exe+7915d|C:\Users\Administrator\Downloads\procexp64.exe+a926e|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954913Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:54.402{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A3-6307-3100-000000007602}2960C:\Windows\system32\wbem\unsecapp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12170|C:\Windows\System32\advapi32.dll+117c5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Users\Administrator\Downloads\procexp64.exe+7915d|C:\Users\Administrator\Downloads\procexp64.exe+a926e|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954912Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:54.402{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A3-6307-3100-000000007602}2960C:\Windows\system32\wbem\unsecapp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12170|C:\Windows\System32\advapi32.dll+117c5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Users\Administrator\Downloads\procexp64.exe+7915d|C:\Users\Administrator\Downloads\procexp64.exe+a926e|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954911Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:54.402{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A3-6307-2F00-000000007602}2772C:\Windows\system32\DFSRs.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12170|C:\Windows\System32\advapi32.dll+117c5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Users\Administrator\Downloads\procexp64.exe+7915d|C:\Users\Administrator\Downloads\procexp64.exe+a926e|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954910Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:54.402{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A3-6307-2F00-000000007602}2772C:\Windows\system32\DFSRs.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12170|C:\Windows\System32\advapi32.dll+117c5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Users\Administrator\Downloads\procexp64.exe+7915d|C:\Users\Administrator\Downloads\procexp64.exe+a926e|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954909Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:54.402{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A3-6307-2E00-000000007602}2764C:\Windows\system32\dfssvc.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12170|C:\Windows\System32\advapi32.dll+117c5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Users\Administrator\Downloads\procexp64.exe+7915d|C:\Users\Administrator\Downloads\procexp64.exe+a926e|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954908Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:54.402{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A3-6307-2E00-000000007602}2764C:\Windows\system32\dfssvc.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12170|C:\Windows\System32\advapi32.dll+117c5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Users\Administrator\Downloads\procexp64.exe+7915d|C:\Users\Administrator\Downloads\procexp64.exe+a926e|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954907Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:54.402{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A3-6307-2D00-000000007602}2752C:\Windows\System32\ismserv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12170|C:\Windows\System32\advapi32.dll+117c5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Users\Administrator\Downloads\procexp64.exe+7915d|C:\Users\Administrator\Downloads\procexp64.exe+a926e|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954906Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:54.402{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A3-6307-2D00-000000007602}2752C:\Windows\System32\ismserv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12170|C:\Windows\System32\advapi32.dll+117c5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Users\Administrator\Downloads\procexp64.exe+7915d|C:\Users\Administrator\Downloads\procexp64.exe+a926e|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954905Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:54.402{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A3-6307-2C00-000000007602}2604C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12170|C:\Windows\System32\advapi32.dll+117c5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Users\Administrator\Downloads\procexp64.exe+7915d|C:\Users\Administrator\Downloads\procexp64.exe+a926e|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954904Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:54.402{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A3-6307-2C00-000000007602}2604C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12170|C:\Windows\System32\advapi32.dll+117c5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Users\Administrator\Downloads\procexp64.exe+7915d|C:\Users\Administrator\Downloads\procexp64.exe+a926e|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954903Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:54.402{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A3-6307-2B00-000000007602}2596C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12170|C:\Windows\System32\advapi32.dll+117c5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Users\Administrator\Downloads\procexp64.exe+7915d|C:\Users\Administrator\Downloads\procexp64.exe+a926e|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954902Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:54.402{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A3-6307-2B00-000000007602}2596C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12170|C:\Windows\System32\advapi32.dll+117c5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Users\Administrator\Downloads\procexp64.exe+7915d|C:\Users\Administrator\Downloads\procexp64.exe+a926e|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954901Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:54.402{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A3-6307-2900-000000007602}2580C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12170|C:\Windows\System32\advapi32.dll+117c5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Users\Administrator\Downloads\procexp64.exe+7915d|C:\Users\Administrator\Downloads\procexp64.exe+a926e|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954900Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:54.402{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A3-6307-2900-000000007602}2580C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12170|C:\Windows\System32\advapi32.dll+117c5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Users\Administrator\Downloads\procexp64.exe+7915d|C:\Users\Administrator\Downloads\procexp64.exe+a926e|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954899Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:54.402{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A3-6307-2800-000000007602}2568C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12170|C:\Windows\System32\advapi32.dll+117c5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Users\Administrator\Downloads\procexp64.exe+7915d|C:\Users\Administrator\Downloads\procexp64.exe+a926e|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954898Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:54.402{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A3-6307-2800-000000007602}2568C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12170|C:\Windows\System32\advapi32.dll+117c5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Users\Administrator\Downloads\procexp64.exe+7915d|C:\Users\Administrator\Downloads\procexp64.exe+a926e|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954897Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:54.402{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A3-6307-2700-000000007602}2560C:\Windows\system32\dns.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12170|C:\Windows\System32\advapi32.dll+117c5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Users\Administrator\Downloads\procexp64.exe+7915d|C:\Users\Administrator\Downloads\procexp64.exe+a926e|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954896Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:54.402{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A3-6307-2700-000000007602}2560C:\Windows\system32\dns.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12170|C:\Windows\System32\advapi32.dll+117c5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Users\Administrator\Downloads\procexp64.exe+7915d|C:\Users\Administrator\Downloads\procexp64.exe+a926e|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954895Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:54.402{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A3-6307-2600-000000007602}2552C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12170|C:\Windows\System32\advapi32.dll+117c5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Users\Administrator\Downloads\procexp64.exe+7915d|C:\Users\Administrator\Downloads\procexp64.exe+a926e|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954894Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:54.402{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A3-6307-2600-000000007602}2552C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12170|C:\Windows\System32\advapi32.dll+117c5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Users\Administrator\Downloads\procexp64.exe+7915d|C:\Users\Administrator\Downloads\procexp64.exe+a926e|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954893Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:54.402{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A3-6307-2500-000000007602}2476C:\Windows\System32\spoolsv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12170|C:\Windows\System32\advapi32.dll+117c5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Users\Administrator\Downloads\procexp64.exe+7915d|C:\Users\Administrator\Downloads\procexp64.exe+a926e|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954892Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:54.402{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A3-6307-2500-000000007602}2476C:\Windows\System32\spoolsv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12170|C:\Windows\System32\advapi32.dll+117c5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Users\Administrator\Downloads\procexp64.exe+7915d|C:\Users\Administrator\Downloads\procexp64.exe+a926e|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954891Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:54.402{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-339C-6307-2300-000000007602}2332C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12170|C:\Windows\System32\advapi32.dll+117c5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Users\Administrator\Downloads\procexp64.exe+7915d|C:\Users\Administrator\Downloads\procexp64.exe+a926e|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954890Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:54.402{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-339C-6307-2300-000000007602}2332C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12170|C:\Windows\System32\advapi32.dll+117c5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Users\Administrator\Downloads\procexp64.exe+7915d|C:\Users\Administrator\Downloads\procexp64.exe+a926e|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954889Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:54.402{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3393-6307-1D00-000000007602}2088C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12170|C:\Windows\System32\advapi32.dll+117c5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Users\Administrator\Downloads\procexp64.exe+7915d|C:\Users\Administrator\Downloads\procexp64.exe+a926e|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954888Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:54.402{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3393-6307-1D00-000000007602}2088C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12170|C:\Windows\System32\advapi32.dll+117c5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Users\Administrator\Downloads\procexp64.exe+7915d|C:\Users\Administrator\Downloads\procexp64.exe+a926e|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954887Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:54.402{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3393-6307-1700-000000007602}1396C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12170|C:\Windows\System32\advapi32.dll+117c5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Users\Administrator\Downloads\procexp64.exe+7915d|C:\Users\Administrator\Downloads\procexp64.exe+a926e|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954886Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:54.402{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3393-6307-1700-000000007602}1396C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12170|C:\Windows\System32\advapi32.dll+117c5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Users\Administrator\Downloads\procexp64.exe+7915d|C:\Users\Administrator\Downloads\procexp64.exe+a926e|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954885Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:54.402{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3393-6307-1600-000000007602}1308C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12170|C:\Windows\System32\advapi32.dll+117c5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Users\Administrator\Downloads\procexp64.exe+7915d|C:\Users\Administrator\Downloads\procexp64.exe+a926e|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954884Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:54.402{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3393-6307-1600-000000007602}1308C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12170|C:\Windows\System32\advapi32.dll+117c5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Users\Administrator\Downloads\procexp64.exe+7915d|C:\Users\Administrator\Downloads\procexp64.exe+a926e|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954883Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:54.402{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3392-6307-1500-000000007602}1256C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12170|C:\Windows\System32\advapi32.dll+117c5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Users\Administrator\Downloads\procexp64.exe+7915d|C:\Users\Administrator\Downloads\procexp64.exe+a926e|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954882Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:54.402{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3392-6307-1500-000000007602}1256C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12170|C:\Windows\System32\advapi32.dll+117c5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Users\Administrator\Downloads\procexp64.exe+7915d|C:\Users\Administrator\Downloads\procexp64.exe+a926e|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954881Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:54.402{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3392-6307-1400-000000007602}1084C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12170|C:\Windows\System32\advapi32.dll+117c5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Users\Administrator\Downloads\procexp64.exe+7915d|C:\Users\Administrator\Downloads\procexp64.exe+a926e|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954880Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:54.402{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3392-6307-1400-000000007602}1084C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12170|C:\Windows\System32\advapi32.dll+117c5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Users\Administrator\Downloads\procexp64.exe+7915d|C:\Users\Administrator\Downloads\procexp64.exe+a926e|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954879Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:54.402{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3392-6307-1300-000000007602}928C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12170|C:\Windows\System32\advapi32.dll+117c5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Users\Administrator\Downloads\procexp64.exe+7915d|C:\Users\Administrator\Downloads\procexp64.exe+a926e|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954878Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:54.402{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3392-6307-1300-000000007602}928C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12170|C:\Windows\System32\advapi32.dll+117c5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Users\Administrator\Downloads\procexp64.exe+7915d|C:\Users\Administrator\Downloads\procexp64.exe+a926e|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954877Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:54.402{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3392-6307-1200-000000007602}484C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12170|C:\Windows\System32\advapi32.dll+117c5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Users\Administrator\Downloads\procexp64.exe+7915d|C:\Users\Administrator\Downloads\procexp64.exe+a926e|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954876Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:54.402{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3392-6307-1200-000000007602}484C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12170|C:\Windows\System32\advapi32.dll+117c5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Users\Administrator\Downloads\procexp64.exe+7915d|C:\Users\Administrator\Downloads\procexp64.exe+a926e|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954875Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:54.402{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3392-6307-1100-000000007602}420C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12170|C:\Windows\System32\advapi32.dll+117c5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Users\Administrator\Downloads\procexp64.exe+7915d|C:\Users\Administrator\Downloads\procexp64.exe+a926e|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954874Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:54.402{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3392-6307-1100-000000007602}420C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12170|C:\Windows\System32\advapi32.dll+117c5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Users\Administrator\Downloads\procexp64.exe+7915d|C:\Users\Administrator\Downloads\procexp64.exe+a926e|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954873Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:54.402{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3392-6307-1000-000000007602}440C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12170|C:\Windows\System32\advapi32.dll+117c5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Users\Administrator\Downloads\procexp64.exe+7915d|C:\Users\Administrator\Downloads\procexp64.exe+a926e|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954872Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:54.402{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3392-6307-1000-000000007602}440C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12170|C:\Windows\System32\advapi32.dll+117c5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Users\Administrator\Downloads\procexp64.exe+7915d|C:\Users\Administrator\Downloads\procexp64.exe+a926e|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954871Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:54.402{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3392-6307-0F00-000000007602}108C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12170|C:\Windows\System32\advapi32.dll+117c5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Users\Administrator\Downloads\procexp64.exe+7915d|C:\Users\Administrator\Downloads\procexp64.exe+a926e|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954870Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:54.402{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3392-6307-0F00-000000007602}108C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12170|C:\Windows\System32\advapi32.dll+117c5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Users\Administrator\Downloads\procexp64.exe+7915d|C:\Users\Administrator\Downloads\procexp64.exe+a926e|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954869Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:54.402{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3392-6307-0E00-000000007602}996C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12170|C:\Windows\System32\advapi32.dll+117c5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Users\Administrator\Downloads\procexp64.exe+7915d|C:\Users\Administrator\Downloads\procexp64.exe+a926e|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954868Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:54.402{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3392-6307-0E00-000000007602}996C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12170|C:\Windows\System32\advapi32.dll+117c5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Users\Administrator\Downloads\procexp64.exe+7915d|C:\Users\Administrator\Downloads\procexp64.exe+a926e|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954867Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:54.402{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3392-6307-0D00-000000007602}892C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12170|C:\Windows\System32\advapi32.dll+117c5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Users\Administrator\Downloads\procexp64.exe+7915d|C:\Users\Administrator\Downloads\procexp64.exe+a926e|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954866Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:54.402{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3392-6307-0D00-000000007602}892C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12170|C:\Windows\System32\advapi32.dll+117c5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Users\Administrator\Downloads\procexp64.exe+7915d|C:\Users\Administrator\Downloads\procexp64.exe+a926e|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954865Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:54.402{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3392-6307-0C00-000000007602}836C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12170|C:\Windows\System32\advapi32.dll+117c5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Users\Administrator\Downloads\procexp64.exe+7915d|C:\Users\Administrator\Downloads\procexp64.exe+a926e|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954864Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:54.402{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3392-6307-0C00-000000007602}836C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12170|C:\Windows\System32\advapi32.dll+117c5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Users\Administrator\Downloads\procexp64.exe+7915d|C:\Users\Administrator\Downloads\procexp64.exe+a926e|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954863Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:54.402{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3390-6307-0B00-000000007602}632C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12170|C:\Windows\System32\advapi32.dll+117c5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Users\Administrator\Downloads\procexp64.exe+7915d|C:\Users\Administrator\Downloads\procexp64.exe+a926e|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954862Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:54.402{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3390-6307-0B00-000000007602}632C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12170|C:\Windows\System32\advapi32.dll+117c5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Users\Administrator\Downloads\procexp64.exe+7915d|C:\Users\Administrator\Downloads\procexp64.exe+a926e|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954861Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:54.402{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3390-6307-0900-000000007602}572C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12170|C:\Windows\System32\advapi32.dll+117c5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Users\Administrator\Downloads\procexp64.exe+7915d|C:\Users\Administrator\Downloads\procexp64.exe+a926e|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954860Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:54.402{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3390-6307-0900-000000007602}572C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12170|C:\Windows\System32\advapi32.dll+117c5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Users\Administrator\Downloads\procexp64.exe+7915d|C:\Users\Administrator\Downloads\procexp64.exe+a926e|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954859Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:54.402{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A3-6307-2800-000000007602}2568C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954858Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:54.402{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A3-6307-2700-000000007602}2560C:\Windows\system32\dns.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954857Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:54.402{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A3-6307-2600-000000007602}2552C:\Windows\sysmon64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954856Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:54.402{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A3-6307-2500-000000007602}2476C:\Windows\System32\spoolsv.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954855Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:54.402{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-339C-6307-2300-000000007602}2332C:\Windows\System32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954854Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:54.402{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3393-6307-1D00-000000007602}2088C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954853Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:54.402{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3393-6307-1700-000000007602}1396C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954852Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:54.402{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3393-6307-1600-000000007602}1308C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954851Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:54.402{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3392-6307-1500-000000007602}1256C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954850Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:54.402{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3392-6307-1400-000000007602}1084C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954849Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:54.402{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3392-6307-1300-000000007602}928C:\Windows\system32\dwm.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954848Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:54.402{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3392-6307-1200-000000007602}484C:\Windows\System32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954847Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:54.402{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3392-6307-1100-000000007602}420C:\Windows\System32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954846Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:54.402{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3392-6307-1000-000000007602}440C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954845Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:54.402{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3392-6307-0F00-000000007602}108C:\Windows\System32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954844Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:54.402{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3392-6307-0E00-000000007602}996C:\Windows\system32\LogonUI.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954843Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:54.402{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3392-6307-0D00-000000007602}892C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954842Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:54.402{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3392-6307-0C00-000000007602}836C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954841Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:54.402{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3390-6307-0B00-000000007602}632C:\Windows\system32\lsass.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954840Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:54.402{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3390-6307-0A00-000000007602}624C:\Windows\system32\services.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5d64|C:\Windows\System32\KERNELBASE.dll+25803|C:\Windows\System32\KERNEL32.DLL+169c0|C:\Users\Administrator\Downloads\procexp64.exe+a8288|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954839Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:54.402{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3390-6307-0900-000000007602}572C:\Windows\system32\winlogon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954838Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:54.402{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3390-6307-0800-000000007602}496C:\Windows\system32\csrss.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5d64|C:\Windows\System32\KERNELBASE.dll+25803|C:\Windows\System32\KERNEL32.DLL+169c0|C:\Users\Administrator\Downloads\procexp64.exe+a8288|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954837Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:54.402{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3390-6307-0700-000000007602}488C:\Windows\system32\wininit.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5d64|C:\Windows\System32\KERNELBASE.dll+25803|C:\Windows\System32\KERNEL32.DLL+169c0|C:\Users\Administrator\Downloads\procexp64.exe+a8288|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954836Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:54.402{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3390-6307-0500-000000007602}416C:\Windows\system32\csrss.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5d64|C:\Windows\System32\KERNELBASE.dll+25803|C:\Windows\System32\KERNEL32.DLL+169c0|C:\Users\Administrator\Downloads\procexp64.exe+a8288|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954835Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:54.402{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-338D-6307-0200-000000007602}320C:\Windows\System32\smss.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5d64|C:\Windows\System32\KERNELBASE.dll+25803|C:\Windows\System32\KERNEL32.DLL+169c0|C:\Users\Administrator\Downloads\procexp64.exe+a8288|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954834Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:54.402{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-338D-6307-0100-000000007602}4System0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5d64|C:\Windows\System32\KERNELBASE.dll+25803|C:\Windows\System32\KERNEL32.DLL+169c0|C:\Users\Administrator\Downloads\procexp64.exe+a8288|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x80000000000000001954833Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:54.040{D25361F1-33B6-6307-7B00-000000007602}2184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7A7045A14D6D93D1B54D5C3C7963F716,SHA256=E90C863D38F8A2A0507E85F692592DAD61F914A6DD2404B1349D5F5BE09410EF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001955091Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:55.486{D25361F1-33B6-6307-7B00-000000007602}2184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=27F70DD084027D79D7189C856FD27261,SHA256=1D8B6C1E664AF7B7B60F82473BC80DC310940300819F9C16F704DC4AF85E9EDF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001955090Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:55.439{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-52AD-6307-E404-000000007602}7476C:\Windows\SYSTEM32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001955089Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:55.439{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-4AD7-6307-F503-000000007602}6996C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001955088Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:55.439{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-4AD1-6307-F403-000000007602}7488C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000663312Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-25 10:59:55.394{F6DB49F2-33A2-6307-6D00-000000007702}3760NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DC4E2583F9550F233CDCB4FF0C672B0B,SHA256=9432D88EC47D7A84B53125B0533990F5E218C95C440DD3C327F29BC5A723E7EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000663311Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-25 10:59:55.171{F6DB49F2-33A2-6307-6D00-000000007702}3760NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=87C0703A90EFA388FBCEE00B7C80CD5E,SHA256=B775B5B70E88633750C06471184A7272390FDC80A5D8DD2219DE5142A24F8DD8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001955087Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:55.439{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-4AD0-6307-F303-000000007602}9620C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001955086Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:55.439{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-4AB4-6307-EB03-000000007602}6088C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001955085Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:55.439{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-4A8F-6307-EA03-000000007602}6404C:\Windows\system32\wbem\wmiprvse.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001955084Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:55.439{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-49F6-6307-CD03-000000007602}7868C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001955083Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:55.439{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-436A-6307-0703-000000007602}6260C:\Program Files\IDA Freeware 8.0\ida64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001955082Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:55.439{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-4210-6307-D702-000000007602}7048C:\Windows\System32\win32calc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001955081Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:55.439{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-37A5-6307-3901-000000007602}6588C:\Windows\ImmersiveControlPanel\SystemSettings.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001955080Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:55.439{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-37A2-6307-3301-000000007602}5680C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001955079Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:55.439{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-37A2-6307-3201-000000007602}3700C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001955078Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:55.439{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-37A1-6307-3101-000000007602}4360C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001955077Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:55.439{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-37A1-6307-3001-000000007602}5144C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001955076Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:55.439{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-37A0-6307-2F01-000000007602}4596C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001955075Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:55.439{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-361E-6307-FB00-000000007602}6112C:\Users\Administrator\Downloads\Procmon64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001955074Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:55.439{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-35FB-6307-F000-000000007602}4288C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001955073Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:55.439{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-35FB-6307-EF00-000000007602}4276C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001955072Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:55.439{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-35E9-6307-E200-000000007602}5316C:\Program Files\Aurora-Agent\aurora-agent.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001955071Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:55.439{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-35E2-6307-E000-000000007602}4860C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001955070Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:55.439{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-35E2-6307-DF00-000000007602}4184C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001955069Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:55.439{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-35E0-6307-DE00-000000007602}5008C:\Windows\Explorer.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001955068Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:55.439{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-35E0-6307-D600-000000007602}4472C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001955067Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:55.439{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-35E0-6307-D300-000000007602}4392C:\Windows\System32\rdpclip.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001955066Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:55.439{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-35DE-6307-D000-000000007602}3896C:\Windows\system32\dwm.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001955065Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:55.439{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-35DD-6307-CE00-000000007602}764C:\Windows\system32\winlogon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001955064Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:55.439{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-35DD-6307-CD00-000000007602}1324C:\Windows\system32\csrss.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5d64|C:\Windows\System32\KERNELBASE.dll+25803|C:\Windows\System32\KERNEL32.DLL+169c0|C:\Users\Administrator\Downloads\procexp64.exe+a8288|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001955063Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:55.439{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-341E-6307-8900-000000007602}3136C:\Windows\System32\msdtc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001955062Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:55.439{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33B6-6307-7B00-000000007602}2184C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001955061Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:55.439{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33AF-6307-7100-000000007602}3892C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001955060Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:55.439{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A5-6307-4500-000000007602}3548C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001955059Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:55.439{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A5-6307-4100-000000007602}3460C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001955058Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:55.439{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A4-6307-3A00-000000007602}3188C:\Windows\System32\vds.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001955057Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:55.439{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A4-6307-3700-000000007602}3120C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001955056Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:55.439{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A3-6307-3100-000000007602}2960C:\Windows\system32\wbem\unsecapp.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001955055Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:55.439{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A3-6307-2F00-000000007602}2772C:\Windows\system32\DFSRs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001955054Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:55.439{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A3-6307-2E00-000000007602}2764C:\Windows\system32\dfssvc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001955053Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:55.439{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A3-6307-2D00-000000007602}2752C:\Windows\System32\ismserv.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001955052Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:55.439{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A3-6307-2C00-000000007602}2604C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001955051Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:55.439{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A3-6307-2B00-000000007602}2596C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001955050Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:55.439{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A3-6307-2900-000000007602}2580C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001955049Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:55.439{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A3-6307-2800-000000007602}2568C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001955048Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:55.439{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A3-6307-2700-000000007602}2560C:\Windows\system32\dns.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001955047Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:55.439{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A3-6307-2600-000000007602}2552C:\Windows\sysmon64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001955046Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:55.439{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A3-6307-2500-000000007602}2476C:\Windows\System32\spoolsv.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001955045Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:55.439{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-339C-6307-2300-000000007602}2332C:\Windows\System32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001955044Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:55.439{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3393-6307-1D00-000000007602}2088C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001955043Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:55.439{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3393-6307-1700-000000007602}1396C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001955042Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:55.439{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3393-6307-1600-000000007602}1308C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001955041Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:55.439{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3392-6307-1500-000000007602}1256C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001955040Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:55.439{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3392-6307-1400-000000007602}1084C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001955039Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:55.439{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3392-6307-1300-000000007602}928C:\Windows\system32\dwm.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001955038Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:55.439{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3392-6307-1200-000000007602}484C:\Windows\System32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001955037Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:55.439{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3392-6307-1100-000000007602}420C:\Windows\System32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001955036Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:55.439{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3392-6307-1000-000000007602}440C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001955035Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:55.439{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3392-6307-0F00-000000007602}108C:\Windows\System32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001955034Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:55.439{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3392-6307-0E00-000000007602}996C:\Windows\system32\LogonUI.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001955033Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:55.439{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3392-6307-0D00-000000007602}892C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001955032Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:55.439{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3392-6307-0C00-000000007602}836C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001955031Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:55.439{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3390-6307-0B00-000000007602}632C:\Windows\system32\lsass.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001955030Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:55.439{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3390-6307-0A00-000000007602}624C:\Windows\system32\services.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5d64|C:\Windows\System32\KERNELBASE.dll+25803|C:\Windows\System32\KERNEL32.DLL+169c0|C:\Users\Administrator\Downloads\procexp64.exe+a8288|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001955029Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:55.439{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3390-6307-0900-000000007602}572C:\Windows\system32\winlogon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001955028Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:55.439{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3390-6307-0800-000000007602}496C:\Windows\system32\csrss.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5d64|C:\Windows\System32\KERNELBASE.dll+25803|C:\Windows\System32\KERNEL32.DLL+169c0|C:\Users\Administrator\Downloads\procexp64.exe+a8288|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001955027Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:55.439{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3390-6307-0700-000000007602}488C:\Windows\system32\wininit.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5d64|C:\Windows\System32\KERNELBASE.dll+25803|C:\Windows\System32\KERNEL32.DLL+169c0|C:\Users\Administrator\Downloads\procexp64.exe+a8288|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001955026Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:55.439{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3390-6307-0500-000000007602}416C:\Windows\system32\csrss.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5d64|C:\Windows\System32\KERNELBASE.dll+25803|C:\Windows\System32\KERNEL32.DLL+169c0|C:\Users\Administrator\Downloads\procexp64.exe+a8288|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001955025Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:55.439{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-338D-6307-0200-000000007602}320C:\Windows\System32\smss.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5d64|C:\Windows\System32\KERNELBASE.dll+25803|C:\Windows\System32\KERNEL32.DLL+169c0|C:\Users\Administrator\Downloads\procexp64.exe+a8288|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001955024Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:55.439{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-338D-6307-0100-000000007602}4System0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5d64|C:\Windows\System32\KERNELBASE.dll+25803|C:\Windows\System32\KERNEL32.DLL+169c0|C:\Users\Administrator\Downloads\procexp64.exe+a8288|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x80000000000000001955023Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:55.340{D25361F1-33B6-6307-7B00-000000007602}2184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=66A1DCB661B970ED544B9F2A76109C22,SHA256=3537E08CDF0A169F6CC49B0B3487AAE424B5A001DE0B2E647BB5FE7C28526685,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001955159Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:56.559{D25361F1-33B6-6307-7B00-000000007602}2184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AF026A1361E68910D11420B5F376F278,SHA256=1081B059109ED8A69F04BC8D303ED19A4E4225AA1532AF1075C54F7CB54102FF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001955158Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:56.469{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-52AD-6307-E404-000000007602}7476C:\Windows\SYSTEM32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001955157Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:56.469{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-4AD7-6307-F503-000000007602}6996C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000663314Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-25 10:59:56.998{F6DB49F2-3390-6307-1C00-000000007702}1888NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0f5693f3f9e2a3703\channels\health\respondent-20220825083218-143MD5=C9D2F4800B969CF17DD3E70127316002,SHA256=AAA7CE52DFC3AAA8DBB17579CF67CFE50E4FC6DBB5C0FFA993F9090287FD94B5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000663313Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-25 10:59:56.275{F6DB49F2-33A2-6307-6D00-000000007702}3760NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=88974BC122523FBFDEBF531BF11025CC,SHA256=5853F81F695226E4D2FC4C911B5AC1CA7CC2A2481EC13CD5202B6CD228E7EEE9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001955156Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:56.469{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-4AD1-6307-F403-000000007602}7488C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001955155Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:56.469{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-4AD0-6307-F303-000000007602}9620C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001955154Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:56.469{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-4AB4-6307-EB03-000000007602}6088C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001955153Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:56.469{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-49F6-6307-CD03-000000007602}7868C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001955152Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:56.469{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-4A8F-6307-EA03-000000007602}6404C:\Windows\system32\wbem\wmiprvse.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001955151Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:56.469{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-436A-6307-0703-000000007602}6260C:\Program Files\IDA Freeware 8.0\ida64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001955150Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:56.469{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-4210-6307-D702-000000007602}7048C:\Windows\System32\win32calc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001955149Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:56.469{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-37A5-6307-3901-000000007602}6588C:\Windows\ImmersiveControlPanel\SystemSettings.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001955148Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:56.469{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-37A2-6307-3301-000000007602}5680C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001955147Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:56.469{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-37A2-6307-3201-000000007602}3700C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001955146Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:56.469{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-37A1-6307-3101-000000007602}4360C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001955145Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:56.469{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-37A1-6307-3001-000000007602}5144C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001955144Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:56.469{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-37A0-6307-2F01-000000007602}4596C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001955143Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:56.469{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-361E-6307-FB00-000000007602}6112C:\Users\Administrator\Downloads\Procmon64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001955142Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:56.469{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-35FB-6307-F000-000000007602}4288C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001955141Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:56.469{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-35FB-6307-EF00-000000007602}4276C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001955140Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:56.469{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-35E9-6307-E200-000000007602}5316C:\Program Files\Aurora-Agent\aurora-agent.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001955139Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:56.469{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-35E2-6307-E000-000000007602}4860C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001955138Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:56.469{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-35E2-6307-DF00-000000007602}4184C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001955137Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:56.469{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-35E0-6307-DE00-000000007602}5008C:\Windows\Explorer.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001955136Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:56.469{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-35E0-6307-D600-000000007602}4472C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001955135Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:56.469{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-35E0-6307-D300-000000007602}4392C:\Windows\System32\rdpclip.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001955134Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:56.469{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-35DE-6307-D000-000000007602}3896C:\Windows\system32\dwm.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001955133Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:56.469{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-35DD-6307-CE00-000000007602}764C:\Windows\system32\winlogon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001955132Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:56.469{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-35DD-6307-CD00-000000007602}1324C:\Windows\system32\csrss.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5d64|C:\Windows\System32\KERNELBASE.dll+25803|C:\Windows\System32\KERNEL32.DLL+169c0|C:\Users\Administrator\Downloads\procexp64.exe+a8288|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001955131Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:56.469{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-341E-6307-8900-000000007602}3136C:\Windows\System32\msdtc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001955130Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:56.469{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33B6-6307-7B00-000000007602}2184C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001955129Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:56.469{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33AF-6307-7100-000000007602}3892C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001955128Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:56.469{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A5-6307-4500-000000007602}3548C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001955127Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:56.469{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A5-6307-4100-000000007602}3460C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001955126Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:56.469{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A4-6307-3A00-000000007602}3188C:\Windows\System32\vds.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001955125Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:56.469{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A4-6307-3700-000000007602}3120C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001955124Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:56.469{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A3-6307-3100-000000007602}2960C:\Windows\system32\wbem\unsecapp.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001955123Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:56.469{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A3-6307-2F00-000000007602}2772C:\Windows\system32\DFSRs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001955122Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:56.469{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A3-6307-2D00-000000007602}2752C:\Windows\System32\ismserv.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001955121Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:56.469{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A3-6307-2E00-000000007602}2764C:\Windows\system32\dfssvc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001955120Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:56.469{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A3-6307-2C00-000000007602}2604C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001955119Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:56.469{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A3-6307-2B00-000000007602}2596C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001955118Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:56.469{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A3-6307-2900-000000007602}2580C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001955117Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:56.469{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A3-6307-2800-000000007602}2568C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001955116Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:56.469{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A3-6307-2700-000000007602}2560C:\Windows\system32\dns.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001955115Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:56.469{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A3-6307-2600-000000007602}2552C:\Windows\sysmon64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001955114Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:56.469{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A3-6307-2500-000000007602}2476C:\Windows\System32\spoolsv.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001955113Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:56.469{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-339C-6307-2300-000000007602}2332C:\Windows\System32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001955112Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:56.469{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3393-6307-1D00-000000007602}2088C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001955111Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:56.469{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3393-6307-1700-000000007602}1396C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001955110Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:56.469{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3393-6307-1600-000000007602}1308C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001955109Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:56.469{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3392-6307-1500-000000007602}1256C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001955108Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:56.469{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3392-6307-1400-000000007602}1084C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001955107Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:56.469{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3392-6307-1300-000000007602}928C:\Windows\system32\dwm.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001955106Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:56.469{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3392-6307-1200-000000007602}484C:\Windows\System32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001955105Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:56.469{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3392-6307-1100-000000007602}420C:\Windows\System32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001955104Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:56.469{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3392-6307-1000-000000007602}440C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001955103Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:56.469{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3392-6307-0F00-000000007602}108C:\Windows\System32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001955102Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:56.469{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3392-6307-0E00-000000007602}996C:\Windows\system32\LogonUI.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001955101Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:56.469{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3392-6307-0D00-000000007602}892C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001955100Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:56.469{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3392-6307-0C00-000000007602}836C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001955099Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:56.469{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3390-6307-0B00-000000007602}632C:\Windows\system32\lsass.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001955098Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:56.469{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3390-6307-0A00-000000007602}624C:\Windows\system32\services.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5d64|C:\Windows\System32\KERNELBASE.dll+25803|C:\Windows\System32\KERNEL32.DLL+169c0|C:\Users\Administrator\Downloads\procexp64.exe+a8288|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001955097Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:56.469{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3390-6307-0900-000000007602}572C:\Windows\system32\winlogon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001955096Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:56.469{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3390-6307-0800-000000007602}496C:\Windows\system32\csrss.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5d64|C:\Windows\System32\KERNELBASE.dll+25803|C:\Windows\System32\KERNEL32.DLL+169c0|C:\Users\Administrator\Downloads\procexp64.exe+a8288|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001955095Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:56.469{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3390-6307-0700-000000007602}488C:\Windows\system32\wininit.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5d64|C:\Windows\System32\KERNELBASE.dll+25803|C:\Windows\System32\KERNEL32.DLL+169c0|C:\Users\Administrator\Downloads\procexp64.exe+a8288|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001955094Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:56.469{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3390-6307-0500-000000007602}416C:\Windows\system32\csrss.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5d64|C:\Windows\System32\KERNELBASE.dll+25803|C:\Windows\System32\KERNEL32.DLL+169c0|C:\Users\Administrator\Downloads\procexp64.exe+a8288|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001955093Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:56.469{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-338D-6307-0200-000000007602}320C:\Windows\System32\smss.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5d64|C:\Windows\System32\KERNELBASE.dll+25803|C:\Windows\System32\KERNEL32.DLL+169c0|C:\Users\Administrator\Downloads\procexp64.exe+a8288|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001955092Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:56.469{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-338D-6307-0100-000000007602}4System0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5d64|C:\Windows\System32\KERNELBASE.dll+25803|C:\Windows\System32\KERNEL32.DLL+169c0|C:\Users\Administrator\Downloads\procexp64.exe+a8288|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000663315Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-25 10:59:57.367{F6DB49F2-33A2-6307-6D00-000000007702}3760NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B65724422CC30D4176D7CE017CBCF9FC,SHA256=2AEFD9DBB478EF0C1DE33972F30CA649DB61B7FB7B17EEE0B1418C373C0C617B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001955227Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:57.643{D25361F1-33B6-6307-7B00-000000007602}2184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6F9D40992554E2C077E9ABC99DBC6A2D,SHA256=B64CFF9FC59B08E754CE4791CEF7990601DB2C32C9041D49D7099CF7AAE8C995,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001955226Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:57.484{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-52AD-6307-E404-000000007602}7476C:\Windows\SYSTEM32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001955225Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:57.484{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-4AD7-6307-F503-000000007602}6996C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001955224Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:57.484{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-4AD1-6307-F403-000000007602}7488C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001955223Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:57.484{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-4AD0-6307-F303-000000007602}9620C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001955222Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:57.484{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-4AB4-6307-EB03-000000007602}6088C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001955221Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:57.484{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-4A8F-6307-EA03-000000007602}6404C:\Windows\system32\wbem\wmiprvse.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001955220Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:57.484{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-49F6-6307-CD03-000000007602}7868C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001955219Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:57.484{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-436A-6307-0703-000000007602}6260C:\Program Files\IDA Freeware 8.0\ida64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001955218Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:57.484{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-4210-6307-D702-000000007602}7048C:\Windows\System32\win32calc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001955217Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:57.484{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-37A5-6307-3901-000000007602}6588C:\Windows\ImmersiveControlPanel\SystemSettings.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001955216Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:57.484{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-37A2-6307-3301-000000007602}5680C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001955215Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:57.484{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-37A2-6307-3201-000000007602}3700C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001955214Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:57.484{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-37A1-6307-3101-000000007602}4360C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001955213Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:57.484{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-37A1-6307-3001-000000007602}5144C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001955212Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:57.484{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-37A0-6307-2F01-000000007602}4596C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001955211Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:57.484{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-361E-6307-FB00-000000007602}6112C:\Users\Administrator\Downloads\Procmon64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001955210Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:57.484{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-35FB-6307-F000-000000007602}4288C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001955209Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:57.484{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-35FB-6307-EF00-000000007602}4276C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001955208Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:57.484{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-35E9-6307-E200-000000007602}5316C:\Program Files\Aurora-Agent\aurora-agent.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001955207Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:57.484{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-35E2-6307-E000-000000007602}4860C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001955206Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:57.484{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-35E2-6307-DF00-000000007602}4184C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001955205Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:57.484{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-35E0-6307-DE00-000000007602}5008C:\Windows\Explorer.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001955204Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:57.484{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-35E0-6307-D600-000000007602}4472C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001955203Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:57.484{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-35E0-6307-D300-000000007602}4392C:\Windows\System32\rdpclip.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001955202Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:57.484{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-35DE-6307-D000-000000007602}3896C:\Windows\system32\dwm.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001955201Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:57.484{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-35DD-6307-CE00-000000007602}764C:\Windows\system32\winlogon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001955200Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:57.484{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-35DD-6307-CD00-000000007602}1324C:\Windows\system32\csrss.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5d64|C:\Windows\System32\KERNELBASE.dll+25803|C:\Windows\System32\KERNEL32.DLL+169c0|C:\Users\Administrator\Downloads\procexp64.exe+a8288|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001955199Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:57.484{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-341E-6307-8900-000000007602}3136C:\Windows\System32\msdtc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001955198Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:57.484{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33B6-6307-7B00-000000007602}2184C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001955197Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:57.484{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33AF-6307-7100-000000007602}3892C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001955196Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:57.484{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A5-6307-4500-000000007602}3548C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001955195Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:57.484{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A5-6307-4100-000000007602}3460C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001955194Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:57.484{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A4-6307-3A00-000000007602}3188C:\Windows\System32\vds.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001955193Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:57.484{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A4-6307-3700-000000007602}3120C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001955192Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:57.484{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A3-6307-3100-000000007602}2960C:\Windows\system32\wbem\unsecapp.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001955191Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:57.484{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A3-6307-2E00-000000007602}2764C:\Windows\system32\dfssvc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001955190Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:57.484{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A3-6307-2F00-000000007602}2772C:\Windows\system32\DFSRs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001955189Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:57.484{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A3-6307-2D00-000000007602}2752C:\Windows\System32\ismserv.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001955188Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:57.484{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A3-6307-2C00-000000007602}2604C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001955187Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:57.484{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A3-6307-2B00-000000007602}2596C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001955186Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:57.484{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A3-6307-2900-000000007602}2580C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001955185Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:57.484{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A3-6307-2800-000000007602}2568C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001955184Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:57.484{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A3-6307-2700-000000007602}2560C:\Windows\system32\dns.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001955183Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:57.484{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A3-6307-2600-000000007602}2552C:\Windows\sysmon64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001955182Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:57.484{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A3-6307-2500-000000007602}2476C:\Windows\System32\spoolsv.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001955181Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:57.484{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-339C-6307-2300-000000007602}2332C:\Windows\System32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001955180Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:57.484{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3393-6307-1D00-000000007602}2088C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001955179Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:57.484{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3393-6307-1700-000000007602}1396C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001955178Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:57.484{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3393-6307-1600-000000007602}1308C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001955177Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:57.484{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3392-6307-1500-000000007602}1256C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001955176Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:57.484{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3392-6307-1400-000000007602}1084C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001955175Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:57.484{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3392-6307-1300-000000007602}928C:\Windows\system32\dwm.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001955174Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:57.484{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3392-6307-1200-000000007602}484C:\Windows\System32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001955173Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:57.484{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3392-6307-1100-000000007602}420C:\Windows\System32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001955172Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:57.484{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3392-6307-1000-000000007602}440C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001955171Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:57.484{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3392-6307-0F00-000000007602}108C:\Windows\System32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001955170Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:57.484{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3392-6307-0E00-000000007602}996C:\Windows\system32\LogonUI.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001955169Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:57.484{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3392-6307-0D00-000000007602}892C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001955168Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:57.484{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3392-6307-0C00-000000007602}836C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001955167Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:57.484{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3390-6307-0B00-000000007602}632C:\Windows\system32\lsass.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001955166Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:57.484{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3390-6307-0A00-000000007602}624C:\Windows\system32\services.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5d64|C:\Windows\System32\KERNELBASE.dll+25803|C:\Windows\System32\KERNEL32.DLL+169c0|C:\Users\Administrator\Downloads\procexp64.exe+a8288|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001955165Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:57.484{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3390-6307-0900-000000007602}572C:\Windows\system32\winlogon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001955164Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:57.484{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3390-6307-0800-000000007602}496C:\Windows\system32\csrss.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5d64|C:\Windows\System32\KERNELBASE.dll+25803|C:\Windows\System32\KERNEL32.DLL+169c0|C:\Users\Administrator\Downloads\procexp64.exe+a8288|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001955163Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:57.484{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3390-6307-0700-000000007602}488C:\Windows\system32\wininit.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5d64|C:\Windows\System32\KERNELBASE.dll+25803|C:\Windows\System32\KERNEL32.DLL+169c0|C:\Users\Administrator\Downloads\procexp64.exe+a8288|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001955162Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:57.484{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3390-6307-0500-000000007602}416C:\Windows\system32\csrss.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5d64|C:\Windows\System32\KERNELBASE.dll+25803|C:\Windows\System32\KERNEL32.DLL+169c0|C:\Users\Administrator\Downloads\procexp64.exe+a8288|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001955161Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:57.484{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-338D-6307-0200-000000007602}320C:\Windows\System32\smss.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5d64|C:\Windows\System32\KERNELBASE.dll+25803|C:\Windows\System32\KERNEL32.DLL+169c0|C:\Users\Administrator\Downloads\procexp64.exe+a8288|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001955160Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:57.484{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-338D-6307-0100-000000007602}4System0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5d64|C:\Windows\System32\KERNELBASE.dll+25803|C:\Windows\System32\KERNEL32.DLL+169c0|C:\Users\Administrator\Downloads\procexp64.exe+a8288|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000663317Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-25 10:59:58.449{F6DB49F2-33A2-6307-6D00-000000007702}3760NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9C95C6BCB104CC7CBB509CD349297202,SHA256=E949D7C7C062887C851B4E20599B59D1FDC4CED696E71F58D1917DE924C9EA66,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001955295Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:58.737{D25361F1-33B6-6307-7B00-000000007602}2184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=71463F640DC068AF3D91025AE350D455,SHA256=FC79B0ADAD9AE04B63B65FD2E204881761A3248F3928BDF1B1F9D82C4471384C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001955294Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:58.499{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-52AD-6307-E404-000000007602}7476C:\Windows\SYSTEM32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001955293Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:58.499{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-4AD7-6307-F503-000000007602}6996C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000663316Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-25 10:59:58.010{F6DB49F2-3390-6307-1C00-000000007702}1888NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0f5693f3f9e2a3703\channels\health\surveyor-20220825083216-144MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001955292Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:58.499{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-4AD1-6307-F403-000000007602}7488C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001955291Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:58.499{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-4AD0-6307-F303-000000007602}9620C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001955290Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:58.499{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-4AB4-6307-EB03-000000007602}6088C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001955289Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:58.499{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-4A8F-6307-EA03-000000007602}6404C:\Windows\system32\wbem\wmiprvse.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001955288Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:58.499{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-49F6-6307-CD03-000000007602}7868C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001955287Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:58.499{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-436A-6307-0703-000000007602}6260C:\Program Files\IDA Freeware 8.0\ida64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001955286Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:58.499{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-4210-6307-D702-000000007602}7048C:\Windows\System32\win32calc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001955285Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:58.499{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-37A5-6307-3901-000000007602}6588C:\Windows\ImmersiveControlPanel\SystemSettings.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001955284Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:58.499{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-37A2-6307-3301-000000007602}5680C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001955283Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:58.499{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-37A2-6307-3201-000000007602}3700C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001955282Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:58.499{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-37A1-6307-3101-000000007602}4360C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001955281Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:58.499{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-37A1-6307-3001-000000007602}5144C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001955280Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:58.499{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-37A0-6307-2F01-000000007602}4596C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001955279Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:58.499{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-361E-6307-FB00-000000007602}6112C:\Users\Administrator\Downloads\Procmon64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001955278Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:58.499{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-35FB-6307-F000-000000007602}4288C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001955277Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:58.499{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-35FB-6307-EF00-000000007602}4276C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001955276Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:58.499{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-35E9-6307-E200-000000007602}5316C:\Program Files\Aurora-Agent\aurora-agent.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001955275Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:58.499{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-35E2-6307-E000-000000007602}4860C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001955274Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:58.499{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-35E2-6307-DF00-000000007602}4184C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001955273Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:58.499{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-35E0-6307-DE00-000000007602}5008C:\Windows\Explorer.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001955272Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:58.499{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-35E0-6307-D600-000000007602}4472C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001955271Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:58.499{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-35E0-6307-D300-000000007602}4392C:\Windows\System32\rdpclip.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001955270Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:58.499{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-35DE-6307-D000-000000007602}3896C:\Windows\system32\dwm.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001955269Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:58.499{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-35DD-6307-CE00-000000007602}764C:\Windows\system32\winlogon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001955268Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:58.499{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-35DD-6307-CD00-000000007602}1324C:\Windows\system32\csrss.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5d64|C:\Windows\System32\KERNELBASE.dll+25803|C:\Windows\System32\KERNEL32.DLL+169c0|C:\Users\Administrator\Downloads\procexp64.exe+a8288|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001955267Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:58.499{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-341E-6307-8900-000000007602}3136C:\Windows\System32\msdtc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001955266Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:58.499{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33B6-6307-7B00-000000007602}2184C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001955265Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:58.499{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33AF-6307-7100-000000007602}3892C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001955264Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:58.499{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A5-6307-4500-000000007602}3548C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001955263Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:58.499{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A5-6307-4100-000000007602}3460C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001955262Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:58.499{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A4-6307-3A00-000000007602}3188C:\Windows\System32\vds.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001955261Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:58.499{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A4-6307-3700-000000007602}3120C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001955260Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:58.499{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A3-6307-3100-000000007602}2960C:\Windows\system32\wbem\unsecapp.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001955259Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:58.499{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A3-6307-2F00-000000007602}2772C:\Windows\system32\DFSRs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001955258Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:58.499{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A3-6307-2E00-000000007602}2764C:\Windows\system32\dfssvc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001955257Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:58.499{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A3-6307-2D00-000000007602}2752C:\Windows\System32\ismserv.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001955256Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:58.499{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A3-6307-2C00-000000007602}2604C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001955255Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:58.499{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A3-6307-2B00-000000007602}2596C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001955254Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:58.499{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A3-6307-2900-000000007602}2580C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001955253Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:58.499{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A3-6307-2800-000000007602}2568C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001955252Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:58.499{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A3-6307-2700-000000007602}2560C:\Windows\system32\dns.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001955251Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:58.499{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A3-6307-2500-000000007602}2476C:\Windows\System32\spoolsv.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001955250Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:58.499{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A3-6307-2600-000000007602}2552C:\Windows\sysmon64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001955249Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:58.499{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-339C-6307-2300-000000007602}2332C:\Windows\System32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001955248Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:58.499{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3393-6307-1D00-000000007602}2088C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001955247Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:58.499{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3393-6307-1700-000000007602}1396C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001955246Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:58.499{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3393-6307-1600-000000007602}1308C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001955245Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:58.499{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3392-6307-1500-000000007602}1256C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001955244Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:58.499{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3392-6307-1400-000000007602}1084C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001955243Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:58.499{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3392-6307-1300-000000007602}928C:\Windows\system32\dwm.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001955242Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:58.499{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3392-6307-1200-000000007602}484C:\Windows\System32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001955241Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:58.499{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3392-6307-1100-000000007602}420C:\Windows\System32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001955240Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:58.499{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3392-6307-1000-000000007602}440C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001955239Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:58.499{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3392-6307-0F00-000000007602}108C:\Windows\System32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001955238Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:58.499{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3392-6307-0E00-000000007602}996C:\Windows\system32\LogonUI.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001955237Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:58.499{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3392-6307-0D00-000000007602}892C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001955236Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:58.499{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3392-6307-0C00-000000007602}836C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001955235Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:58.499{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3390-6307-0B00-000000007602}632C:\Windows\system32\lsass.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001955234Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:58.499{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3390-6307-0A00-000000007602}624C:\Windows\system32\services.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5d64|C:\Windows\System32\KERNELBASE.dll+25803|C:\Windows\System32\KERNEL32.DLL+169c0|C:\Users\Administrator\Downloads\procexp64.exe+a8288|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001955233Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:58.499{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3390-6307-0900-000000007602}572C:\Windows\system32\winlogon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001955232Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:58.499{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3390-6307-0800-000000007602}496C:\Windows\system32\csrss.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5d64|C:\Windows\System32\KERNELBASE.dll+25803|C:\Windows\System32\KERNEL32.DLL+169c0|C:\Users\Administrator\Downloads\procexp64.exe+a8288|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001955231Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:58.499{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3390-6307-0700-000000007602}488C:\Windows\system32\wininit.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5d64|C:\Windows\System32\KERNELBASE.dll+25803|C:\Windows\System32\KERNEL32.DLL+169c0|C:\Users\Administrator\Downloads\procexp64.exe+a8288|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001955230Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:58.499{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3390-6307-0500-000000007602}416C:\Windows\system32\csrss.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5d64|C:\Windows\System32\KERNELBASE.dll+25803|C:\Windows\System32\KERNEL32.DLL+169c0|C:\Users\Administrator\Downloads\procexp64.exe+a8288|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001955229Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:58.499{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-338D-6307-0200-000000007602}320C:\Windows\System32\smss.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5d64|C:\Windows\System32\KERNELBASE.dll+25803|C:\Windows\System32\KERNEL32.DLL+169c0|C:\Users\Administrator\Downloads\procexp64.exe+a8288|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001955228Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:58.499{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-338D-6307-0100-000000007602}4System0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5d64|C:\Windows\System32\KERNELBASE.dll+25803|C:\Windows\System32\KERNEL32.DLL+169c0|C:\Users\Administrator\Downloads\procexp64.exe+a8288|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000663319Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-25 10:59:58.387{F6DB49F2-339B-6307-6200-000000007702}3336C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal51444-false10.0.1.12-8000- 23542300x8000000000000000663318Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-25 10:59:59.539{F6DB49F2-33A2-6307-6D00-000000007702}3760NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5E1CC0203C95B533D2391C895564CEBC,SHA256=80477B989F29B55A4C7A55E26228B5AEDE936E4CD6B5B22882DBAF2EE54B763D,IMPHASH=00000000000000000000000000000000falsetrue 734700x80000000000000001955416Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:59.966{D25361F1-562F-6307-4B05-000000007602}6156C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x80000000000000001955415Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:59.966{D25361F1-562F-6307-4B05-000000007602}6156C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x80000000000000001955414Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:59.966{D25361F1-562F-6307-4B05-000000007602}6156C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 23542300x80000000000000001955413Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:59.867{D25361F1-33B6-6307-7B00-000000007602}2184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=90F6584F7D63468B6D7B417BACF208A5,SHA256=9AA9EEDD875C2A348818B0EB1560F2346952A3EDBA9531B93868F1C42E85E8C3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001955412Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:59.867{D25361F1-33B6-6307-7B00-000000007602}2184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8758E7A69E1D56F37CC7F0179361763C,SHA256=9F734A972E07CFDE60599FAD0D3F181E5A86974A6C3CF7BAFA1D61552ED76719,IMPHASH=00000000000000000000000000000000falsetrue 734700x80000000000000001955411Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:59.820{D25361F1-562F-6307-4B05-000000007602}6156C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x80000000000000001955410Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:59.820{D25361F1-562F-6307-4B05-000000007602}6156C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x80000000000000001955409Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:59.818{D25361F1-562F-6307-4B05-000000007602}6156C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x80000000000000001955408Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:59.815{D25361F1-562F-6307-4B05-000000007602}6156C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x80000000000000001955407Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:59.798{D25361F1-562F-6307-4B05-000000007602}6156C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x80000000000000001955406Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:59.798{D25361F1-562F-6307-4B05-000000007602}6156C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x80000000000000001955405Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:59.798{D25361F1-562F-6307-4B05-000000007602}6156C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x80000000000000001955404Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:59.798{D25361F1-562F-6307-4B05-000000007602}6156C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x80000000000000001955403Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:59.782{D25361F1-562F-6307-4B05-000000007602}6156C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x80000000000000001955402Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:59.782{D25361F1-562F-6307-4B05-000000007602}6156C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x80000000000000001955401Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:59.782{D25361F1-562F-6307-4B05-000000007602}6156C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x80000000000000001955400Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:59.782{D25361F1-562F-6307-4B05-000000007602}6156C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x80000000000000001955399Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:59.782{D25361F1-562F-6307-4B05-000000007602}6156C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x80000000000000001955398Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:59.782{D25361F1-562F-6307-4B05-000000007602}6156C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x80000000000000001955397Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:59.782{D25361F1-562F-6307-4B05-000000007602}6156C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x80000000000000001955396Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:59.782{D25361F1-562F-6307-4B05-000000007602}6156C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x80000000000000001955395Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:59.782{D25361F1-562F-6307-4B05-000000007602}6156C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x80000000000000001955394Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:59.782{D25361F1-562F-6307-4B05-000000007602}6156C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x80000000000000001955393Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:59.782{D25361F1-562F-6307-4B05-000000007602}6156C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x80000000000000001955392Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:59.782{D25361F1-562F-6307-4B05-000000007602}6156C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x80000000000000001955391Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:59.782{D25361F1-562F-6307-4B05-000000007602}6156C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x80000000000000001955390Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:59.782{D25361F1-562F-6307-4B05-000000007602}6156C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x80000000000000001955389Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:59.782{D25361F1-562F-6307-4B05-000000007602}6156C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x80000000000000001955388Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:59.782{D25361F1-562F-6307-4B05-000000007602}6156C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x80000000000000001955387Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:59.782{D25361F1-562F-6307-4B05-000000007602}6156C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x80000000000000001955386Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:59.782{D25361F1-562F-6307-4B05-000000007602}6156C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x80000000000000001955385Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:59.782{D25361F1-562F-6307-4B05-000000007602}6156C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x80000000000000001955384Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:59.782{D25361F1-562F-6307-4B05-000000007602}6156C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x80000000000000001955383Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:59.782{D25361F1-562F-6307-4B05-000000007602}6156C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x80000000000000001955382Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:59.782{D25361F1-562F-6307-4B05-000000007602}6156C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x80000000000000001955381Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:59.767{D25361F1-562F-6307-4B05-000000007602}6156C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\fltLib.dll10.0.14393.0 (rs1_release.160715-1616)Filter LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationfilterLib.dllMD5=051ABD8360BDA63A1BC77C662FBF0A25,SHA256=C914E2DBAEC2C9A11923A984B30A979637D3A27B3C29E93F4C90FB1D9FBC518F,IMPHASH=74D3C2DA8B6F9861866B866AE40683D3trueMicrosoft WindowsValid 734700x80000000000000001955380Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:59.767{D25361F1-562F-6307-4B05-000000007602}6156C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x80000000000000001955379Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:59.767{D25361F1-562F-6307-4B05-000000007602}6156C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x80000000000000001955378Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:59.767{D25361F1-562F-6307-4B05-000000007602}6156C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x80000000000000001955377Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:59.767{D25361F1-562F-6307-4B05-000000007602}6156C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x80000000000000001955376Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:59.767{D25361F1-562F-6307-4B05-000000007602}6156C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 10341000x80000000000000001955375Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:59.767{D25361F1-33A4-6307-3700-000000007602}31203140C:\Windows\system32\conhost.exe{D25361F1-562F-6307-4B05-000000007602}6156C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x80000000000000001955374Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:59.767{D25361F1-562F-6307-4B05-000000007602}6156C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x80000000000000001955373Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:59.767{D25361F1-562F-6307-4B05-000000007602}6156C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x80000000000000001955372Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:59.767{D25361F1-562F-6307-4B05-000000007602}6156C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x80000000000000001955371Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:59.767{D25361F1-562F-6307-4B05-000000007602}6156C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exeMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02DtrueSplunk, Inc.Valid 10341000x80000000000000001955370Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:59.767{D25361F1-3392-6307-0C00-000000007602}8368632C:\Windows\system32\svchost.exe{D25361F1-33A3-6307-2600-000000007602}2552C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001955369Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:59.767{D25361F1-3392-6307-0C00-000000007602}8368632C:\Windows\system32\svchost.exe{D25361F1-33A3-6307-2600-000000007602}2552C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001955368Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:59.767{D25361F1-3392-6307-0C00-000000007602}8368632C:\Windows\system32\svchost.exe{D25361F1-33A3-6307-2600-000000007602}2552C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001955367Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:59.767{D25361F1-3392-6307-0C00-000000007602}8368632C:\Windows\system32\svchost.exe{D25361F1-33A3-6307-2600-000000007602}2552C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001955366Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:59.767{D25361F1-3390-6307-0500-000000007602}416408C:\Windows\system32\csrss.exe{D25361F1-562F-6307-4B05-000000007602}6156C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000001955365Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:59.767{D25361F1-33A3-6307-2C00-000000007602}26043364C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D25361F1-562F-6307-4B05-000000007602}6156C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000001955364Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:59.768{D25361F1-562F-6307-4B05-000000007602}6156C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D25361F1-3391-6307-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{D25361F1-33A3-6307-2C00-000000007602}2604C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000001955363Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:59.520{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-52AD-6307-E404-000000007602}7476C:\Windows\SYSTEM32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001955362Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:59.520{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-4AD7-6307-F503-000000007602}6996C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001955361Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:59.520{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-4AD1-6307-F403-000000007602}7488C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001955360Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:59.520{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-4AD0-6307-F303-000000007602}9620C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001955359Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:59.520{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-4AB4-6307-EB03-000000007602}6088C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001955358Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:59.520{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-4A8F-6307-EA03-000000007602}6404C:\Windows\system32\wbem\wmiprvse.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001955357Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:59.520{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-49F6-6307-CD03-000000007602}7868C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001955356Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:59.520{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-436A-6307-0703-000000007602}6260C:\Program Files\IDA Freeware 8.0\ida64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001955355Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:59.520{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-4210-6307-D702-000000007602}7048C:\Windows\System32\win32calc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001955354Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:59.520{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-37A5-6307-3901-000000007602}6588C:\Windows\ImmersiveControlPanel\SystemSettings.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001955353Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:59.520{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-37A2-6307-3301-000000007602}5680C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001955352Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:59.520{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-37A2-6307-3201-000000007602}3700C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001955351Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:59.520{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-37A1-6307-3101-000000007602}4360C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001955350Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:59.520{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-37A1-6307-3001-000000007602}5144C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001955349Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:59.520{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-37A0-6307-2F01-000000007602}4596C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001955348Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:59.520{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-361E-6307-FB00-000000007602}6112C:\Users\Administrator\Downloads\Procmon64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001955347Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:59.520{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-35FB-6307-F000-000000007602}4288C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001955346Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:59.520{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-35FB-6307-EF00-000000007602}4276C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001955345Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:59.520{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-35E9-6307-E200-000000007602}5316C:\Program Files\Aurora-Agent\aurora-agent.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001955344Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:59.520{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-35E2-6307-E000-000000007602}4860C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001955343Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:59.520{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-35E2-6307-DF00-000000007602}4184C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001955342Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:59.520{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-35E0-6307-DE00-000000007602}5008C:\Windows\Explorer.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001955341Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:59.520{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-35E0-6307-D600-000000007602}4472C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001955340Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:59.520{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-35E0-6307-D300-000000007602}4392C:\Windows\System32\rdpclip.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001955339Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:59.520{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-35DE-6307-D000-000000007602}3896C:\Windows\system32\dwm.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001955338Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:59.520{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-35DD-6307-CE00-000000007602}764C:\Windows\system32\winlogon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001955337Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:59.520{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-35DD-6307-CD00-000000007602}1324C:\Windows\system32\csrss.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5d64|C:\Windows\System32\KERNELBASE.dll+25803|C:\Windows\System32\KERNEL32.DLL+169c0|C:\Users\Administrator\Downloads\procexp64.exe+a8288|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001955336Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:59.520{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-341E-6307-8900-000000007602}3136C:\Windows\System32\msdtc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001955335Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:59.520{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33B6-6307-7B00-000000007602}2184C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001955334Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:59.520{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33AF-6307-7100-000000007602}3892C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001955333Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:59.520{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A5-6307-4500-000000007602}3548C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001955332Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:59.520{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A5-6307-4100-000000007602}3460C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001955331Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:59.520{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A4-6307-3A00-000000007602}3188C:\Windows\System32\vds.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001955330Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:59.520{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A4-6307-3700-000000007602}3120C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001955329Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:59.520{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A3-6307-3100-000000007602}2960C:\Windows\system32\wbem\unsecapp.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001955328Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:59.520{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A3-6307-2F00-000000007602}2772C:\Windows\system32\DFSRs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001955327Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:59.520{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A3-6307-2E00-000000007602}2764C:\Windows\system32\dfssvc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001955326Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:59.520{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A3-6307-2D00-000000007602}2752C:\Windows\System32\ismserv.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001955325Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:59.520{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A3-6307-2C00-000000007602}2604C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001955324Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:59.520{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A3-6307-2B00-000000007602}2596C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001955323Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:59.520{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A3-6307-2900-000000007602}2580C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001955322Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:59.520{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A3-6307-2800-000000007602}2568C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001955321Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:59.520{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A3-6307-2700-000000007602}2560C:\Windows\system32\dns.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001955320Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:59.519{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A3-6307-2500-000000007602}2476C:\Windows\System32\spoolsv.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001955319Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:59.520{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A3-6307-2600-000000007602}2552C:\Windows\sysmon64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001955318Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:59.519{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-339C-6307-2300-000000007602}2332C:\Windows\System32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001955317Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:59.519{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3393-6307-1D00-000000007602}2088C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001955316Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:59.519{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3393-6307-1700-000000007602}1396C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001955315Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:59.519{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3393-6307-1600-000000007602}1308C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001955314Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:59.519{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3392-6307-1500-000000007602}1256C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001955313Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:59.519{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3392-6307-1400-000000007602}1084C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001955312Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:59.519{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3392-6307-1300-000000007602}928C:\Windows\system32\dwm.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001955311Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:59.519{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3392-6307-1200-000000007602}484C:\Windows\System32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001955310Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:59.518{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3392-6307-1100-000000007602}420C:\Windows\System32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001955309Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:59.518{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3392-6307-1000-000000007602}440C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001955308Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:59.518{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3392-6307-0F00-000000007602}108C:\Windows\System32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001955307Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:59.518{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3392-6307-0E00-000000007602}996C:\Windows\system32\LogonUI.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001955306Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:59.518{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3392-6307-0D00-000000007602}892C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001955305Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:59.518{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3392-6307-0C00-000000007602}836C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001955304Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:59.518{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3390-6307-0B00-000000007602}632C:\Windows\system32\lsass.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001955303Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:59.517{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3390-6307-0A00-000000007602}624C:\Windows\system32\services.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5d64|C:\Windows\System32\KERNELBASE.dll+25803|C:\Windows\System32\KERNEL32.DLL+169c0|C:\Users\Administrator\Downloads\procexp64.exe+a8288|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001955302Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:59.517{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3390-6307-0900-000000007602}572C:\Windows\system32\winlogon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001955301Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:59.517{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3390-6307-0800-000000007602}496C:\Windows\system32\csrss.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5d64|C:\Windows\System32\KERNELBASE.dll+25803|C:\Windows\System32\KERNEL32.DLL+169c0|C:\Users\Administrator\Downloads\procexp64.exe+a8288|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001955300Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:59.517{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3390-6307-0700-000000007602}488C:\Windows\system32\wininit.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5d64|C:\Windows\System32\KERNELBASE.dll+25803|C:\Windows\System32\KERNEL32.DLL+169c0|C:\Users\Administrator\Downloads\procexp64.exe+a8288|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001955299Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:59.517{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3390-6307-0500-000000007602}416C:\Windows\system32\csrss.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5d64|C:\Windows\System32\KERNELBASE.dll+25803|C:\Windows\System32\KERNEL32.DLL+169c0|C:\Users\Administrator\Downloads\procexp64.exe+a8288|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001955298Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:59.516{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-338D-6307-0200-000000007602}320C:\Windows\System32\smss.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5d64|C:\Windows\System32\KERNELBASE.dll+25803|C:\Windows\System32\KERNEL32.DLL+169c0|C:\Users\Administrator\Downloads\procexp64.exe+a8288|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001955297Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:59.516{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-338D-6307-0100-000000007602}4System0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5d64|C:\Windows\System32\KERNELBASE.dll+25803|C:\Windows\System32\KERNEL32.DLL+169c0|C:\Users\Administrator\Downloads\procexp64.exe+a8288|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x80000000000000001955296Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 10:59:56.889{D25361F1-33AF-6307-7100-000000007602}3892C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-854.attackrange.local64281-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000663321Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-25 11:00:00.625{F6DB49F2-33A2-6307-6D00-000000007702}3760NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1B653FCB38029CB446B73F20F8DD3C4C,SHA256=388220F75AAFC2848070FC670B8B835C3FF4A2A2B5E5E7E0F0350C941BD76FBA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001955540Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 11:00:00.667{D25361F1-5630-6307-4C05-000000007602}56769272C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{D25361F1-33A3-6307-2C00-000000007602}2604C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x80000000000000001955539Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 11:00:00.667{D25361F1-5630-6307-4C05-000000007602}5676C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x80000000000000001955538Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 11:00:00.667{D25361F1-5630-6307-4C05-000000007602}5676C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 10341000x80000000000000001955537Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 11:00:00.551{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-5630-6307-4C05-000000007602}5676C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ntdll.dll+6cd1a|C:\Windows\System32\KERNEL32.DLL+1cff8|C:\Windows\System32\KERNEL32.DLL+25a87|C:\Users\Administrator\Downloads\procexp64.exe+51b6c|C:\Users\Administrator\Downloads\procexp64.exe+538b7|C:\Users\Administrator\Downloads\procexp64.exe+a9f81|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001955536Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 11:00:00.551{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-5630-6307-4C05-000000007602}5676C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+79335|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+793e7|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+1b5f9|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+1b4e9|C:\Users\Administrator\Downloads\procexp64.exe+747e7|C:\Users\Administrator\Downloads\procexp64.exe+a9f6e|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x80000000000000001955535Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 11:00:00.551{D25361F1-3610-6307-F600-000000007602}5728C:\Users\Administrator\Downloads\procexp64.exeC:\Windows\System32\psapi.dll10.0.14393.0 (rs1_release.160715-1616)Process Status HelperMicrosoft® Windows® Operating SystemMicrosoft CorporationPSAPIMD5=1AF6CD8B7CE4A852F67AA98C71AA1D26,SHA256=EF0DE008500A8C9C7908383AF11AE55845EBBE28C96C013EA720950BA89D3D28,IMPHASH=A90D5BC867A86FBF8F4557CE6F216093trueMicrosoft WindowsValid 10341000x80000000000000001955534Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 11:00:00.551{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-5630-6307-4C05-000000007602}5676C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|C:\Users\Administrator\Downloads\procexp64.exe+a9e0f|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001955533Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 11:00:00.536{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-5630-6307-4C05-000000007602}5676C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\winsta.dll+1178|C:\Windows\SYSTEM32\winsta.dll+10b5|C:\Users\Administrator\Downloads\procexp64.exe+a5184|C:\Users\Administrator\Downloads\procexp64.exe+a951e|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001955532Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 11:00:00.536{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-5630-6307-4C05-000000007602}5676C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a9381|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001955531Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 11:00:00.536{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-52AD-6307-E404-000000007602}7476C:\Windows\SYSTEM32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001955530Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 11:00:00.536{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-4AD7-6307-F503-000000007602}6996C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001955529Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 11:00:00.536{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-4AD1-6307-F403-000000007602}7488C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001955528Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 11:00:00.536{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-4AD0-6307-F303-000000007602}9620C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001955527Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 11:00:00.536{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-4AB4-6307-EB03-000000007602}6088C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001955526Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 11:00:00.536{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-4A8F-6307-EA03-000000007602}6404C:\Windows\system32\wbem\wmiprvse.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001955525Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 11:00:00.536{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-49F6-6307-CD03-000000007602}7868C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001955524Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 11:00:00.536{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-436A-6307-0703-000000007602}6260C:\Program Files\IDA Freeware 8.0\ida64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001955523Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 11:00:00.536{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-4210-6307-D702-000000007602}7048C:\Windows\System32\win32calc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001955522Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 11:00:00.536{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-37A5-6307-3901-000000007602}6588C:\Windows\ImmersiveControlPanel\SystemSettings.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001955521Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 11:00:00.536{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-37A2-6307-3301-000000007602}5680C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001955520Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 11:00:00.536{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-37A2-6307-3201-000000007602}3700C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001955519Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 11:00:00.536{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-37A1-6307-3101-000000007602}4360C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001955518Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 11:00:00.536{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-37A1-6307-3001-000000007602}5144C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001955517Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 11:00:00.536{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-37A0-6307-2F01-000000007602}4596C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001955516Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 11:00:00.536{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-361E-6307-FB00-000000007602}6112C:\Users\Administrator\Downloads\Procmon64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001955515Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 11:00:00.536{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-35FB-6307-F000-000000007602}4288C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001955514Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 11:00:00.536{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-35FB-6307-EF00-000000007602}4276C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001955513Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 11:00:00.536{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-35E9-6307-E200-000000007602}5316C:\Program Files\Aurora-Agent\aurora-agent.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001955512Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 11:00:00.536{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-35E2-6307-E000-000000007602}4860C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001955511Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 11:00:00.536{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-35E2-6307-DF00-000000007602}4184C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001955510Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 11:00:00.536{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-35E0-6307-DE00-000000007602}5008C:\Windows\Explorer.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001955509Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 11:00:00.536{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-35E0-6307-D600-000000007602}4472C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001955508Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 11:00:00.536{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-35E0-6307-D300-000000007602}4392C:\Windows\System32\rdpclip.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001955507Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 11:00:00.536{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-35DE-6307-D000-000000007602}3896C:\Windows\system32\dwm.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001955506Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 11:00:00.536{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-35DD-6307-CE00-000000007602}764C:\Windows\system32\winlogon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001955505Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 11:00:00.536{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-35DD-6307-CD00-000000007602}1324C:\Windows\system32\csrss.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5d64|C:\Windows\System32\KERNELBASE.dll+25803|C:\Windows\System32\KERNEL32.DLL+169c0|C:\Users\Administrator\Downloads\procexp64.exe+a8288|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001955504Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 11:00:00.536{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-341E-6307-8900-000000007602}3136C:\Windows\System32\msdtc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001955503Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 11:00:00.536{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33B6-6307-7B00-000000007602}2184C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001955502Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 11:00:00.536{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33AF-6307-7100-000000007602}3892C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001955501Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 11:00:00.536{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A5-6307-4500-000000007602}3548C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001955500Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 11:00:00.536{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A5-6307-4100-000000007602}3460C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001955499Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 11:00:00.536{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A4-6307-3A00-000000007602}3188C:\Windows\System32\vds.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001955498Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 11:00:00.536{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A4-6307-3700-000000007602}3120C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001955497Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 11:00:00.536{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A3-6307-3100-000000007602}2960C:\Windows\system32\wbem\unsecapp.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001955496Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 11:00:00.536{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A3-6307-2F00-000000007602}2772C:\Windows\system32\DFSRs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001955495Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 11:00:00.536{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A3-6307-2E00-000000007602}2764C:\Windows\system32\dfssvc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001955494Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 11:00:00.536{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A3-6307-2D00-000000007602}2752C:\Windows\System32\ismserv.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001955493Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 11:00:00.536{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A3-6307-2C00-000000007602}2604C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001955492Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 11:00:00.536{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A3-6307-2B00-000000007602}2596C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001955491Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 11:00:00.536{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A3-6307-2900-000000007602}2580C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001955490Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 11:00:00.536{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A3-6307-2800-000000007602}2568C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001955489Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 11:00:00.536{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A3-6307-2700-000000007602}2560C:\Windows\system32\dns.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001955488Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 11:00:00.536{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A3-6307-2600-000000007602}2552C:\Windows\sysmon64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001955487Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 11:00:00.536{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A3-6307-2500-000000007602}2476C:\Windows\System32\spoolsv.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001955486Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 11:00:00.536{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-339C-6307-2300-000000007602}2332C:\Windows\System32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001955485Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 11:00:00.536{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3393-6307-1D00-000000007602}2088C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001955484Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 11:00:00.536{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3393-6307-1700-000000007602}1396C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001955483Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 11:00:00.536{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3393-6307-1600-000000007602}1308C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001955482Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 11:00:00.536{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3392-6307-1500-000000007602}1256C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001955481Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 11:00:00.536{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3392-6307-1400-000000007602}1084C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001955480Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 11:00:00.536{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3392-6307-1300-000000007602}928C:\Windows\system32\dwm.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001955479Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 11:00:00.536{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3392-6307-1200-000000007602}484C:\Windows\System32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001955478Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 11:00:00.536{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3392-6307-1100-000000007602}420C:\Windows\System32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001955477Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 11:00:00.536{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3392-6307-1000-000000007602}440C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001955476Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 11:00:00.536{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3392-6307-0F00-000000007602}108C:\Windows\System32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001955475Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 11:00:00.536{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3392-6307-0E00-000000007602}996C:\Windows\system32\LogonUI.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001955474Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 11:00:00.536{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3392-6307-0D00-000000007602}892C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001955473Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 11:00:00.536{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3392-6307-0C00-000000007602}836C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001955472Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 11:00:00.536{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3390-6307-0B00-000000007602}632C:\Windows\system32\lsass.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001955471Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 11:00:00.536{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3390-6307-0A00-000000007602}624C:\Windows\system32\services.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5d64|C:\Windows\System32\KERNELBASE.dll+25803|C:\Windows\System32\KERNEL32.DLL+169c0|C:\Users\Administrator\Downloads\procexp64.exe+a8288|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001955470Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 11:00:00.536{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3390-6307-0900-000000007602}572C:\Windows\system32\winlogon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001955469Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 11:00:00.536{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3390-6307-0800-000000007602}496C:\Windows\system32\csrss.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5d64|C:\Windows\System32\KERNELBASE.dll+25803|C:\Windows\System32\KERNEL32.DLL+169c0|C:\Users\Administrator\Downloads\procexp64.exe+a8288|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001955468Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 11:00:00.536{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3390-6307-0700-000000007602}488C:\Windows\system32\wininit.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5d64|C:\Windows\System32\KERNELBASE.dll+25803|C:\Windows\System32\KERNEL32.DLL+169c0|C:\Users\Administrator\Downloads\procexp64.exe+a8288|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001955467Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 11:00:00.536{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3390-6307-0500-000000007602}416C:\Windows\system32\csrss.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5d64|C:\Windows\System32\KERNELBASE.dll+25803|C:\Windows\System32\KERNEL32.DLL+169c0|C:\Users\Administrator\Downloads\procexp64.exe+a8288|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001955466Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 11:00:00.536{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-338D-6307-0200-000000007602}320C:\Windows\System32\smss.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5d64|C:\Windows\System32\KERNELBASE.dll+25803|C:\Windows\System32\KERNEL32.DLL+169c0|C:\Users\Administrator\Downloads\procexp64.exe+a8288|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001955465Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 11:00:00.536{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-338D-6307-0100-000000007602}4System0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5d64|C:\Windows\System32\KERNELBASE.dll+25803|C:\Windows\System32\KERNEL32.DLL+169c0|C:\Users\Administrator\Downloads\procexp64.exe+a8288|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x80000000000000001955464Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 11:00:00.520{D25361F1-5630-6307-4C05-000000007602}5676C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x80000000000000001955463Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 11:00:00.520{D25361F1-5630-6307-4C05-000000007602}5676C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x80000000000000001955462Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 11:00:00.520{D25361F1-5630-6307-4C05-000000007602}5676C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x80000000000000001955461Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 11:00:00.519{D25361F1-5630-6307-4C05-000000007602}5676C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x80000000000000001955460Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 11:00:00.514{D25361F1-5630-6307-4C05-000000007602}5676C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x80000000000000001955459Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 11:00:00.497{D25361F1-5630-6307-4C05-000000007602}5676C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x80000000000000001955458Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 11:00:00.497{D25361F1-5630-6307-4C05-000000007602}5676C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x80000000000000001955457Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 11:00:00.497{D25361F1-5630-6307-4C05-000000007602}5676C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x80000000000000001955456Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 11:00:00.497{D25361F1-5630-6307-4C05-000000007602}5676C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x80000000000000001955455Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 11:00:00.482{D25361F1-5630-6307-4C05-000000007602}5676C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x80000000000000001955454Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 11:00:00.482{D25361F1-5630-6307-4C05-000000007602}5676C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x80000000000000001955453Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 11:00:00.482{D25361F1-5630-6307-4C05-000000007602}5676C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x80000000000000001955452Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 11:00:00.467{D25361F1-5630-6307-4C05-000000007602}5676C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x80000000000000001955451Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 11:00:00.467{D25361F1-5630-6307-4C05-000000007602}5676C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x80000000000000001955450Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 11:00:00.467{D25361F1-5630-6307-4C05-000000007602}5676C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x80000000000000001955449Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 11:00:00.467{D25361F1-5630-6307-4C05-000000007602}5676C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x80000000000000001955448Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 11:00:00.467{D25361F1-5630-6307-4C05-000000007602}5676C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x80000000000000001955447Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 11:00:00.467{D25361F1-5630-6307-4C05-000000007602}5676C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x80000000000000001955446Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 11:00:00.467{D25361F1-5630-6307-4C05-000000007602}5676C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x80000000000000001955445Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 11:00:00.467{D25361F1-5630-6307-4C05-000000007602}5676C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x80000000000000001955444Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 11:00:00.467{D25361F1-5630-6307-4C05-000000007602}5676C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x80000000000000001955443Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 11:00:00.467{D25361F1-5630-6307-4C05-000000007602}5676C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x80000000000000001955442Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 11:00:00.467{D25361F1-5630-6307-4C05-000000007602}5676C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x80000000000000001955441Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 11:00:00.467{D25361F1-5630-6307-4C05-000000007602}5676C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 734700x80000000000000001955440Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 11:00:00.450{D25361F1-5630-6307-4C05-000000007602}5676C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x80000000000000001955439Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 11:00:00.450{D25361F1-5630-6307-4C05-000000007602}5676C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x80000000000000001955438Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 11:00:00.450{D25361F1-5630-6307-4C05-000000007602}5676C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x80000000000000001955437Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 11:00:00.450{D25361F1-5630-6307-4C05-000000007602}5676C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x80000000000000001955436Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 11:00:00.450{D25361F1-5630-6307-4C05-000000007602}5676C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x80000000000000001955435Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 11:00:00.450{D25361F1-5630-6307-4C05-000000007602}5676C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x80000000000000001955434Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 11:00:00.450{D25361F1-5630-6307-4C05-000000007602}5676C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x80000000000000001955433Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 11:00:00.450{D25361F1-5630-6307-4C05-000000007602}5676C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x80000000000000001955432Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 11:00:00.450{D25361F1-5630-6307-4C05-000000007602}5676C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x80000000000000001955431Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 11:00:00.450{D25361F1-5630-6307-4C05-000000007602}5676C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x80000000000000001955430Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 11:00:00.450{D25361F1-5630-6307-4C05-000000007602}5676C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x80000000000000001955429Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 11:00:00.435{D25361F1-5630-6307-4C05-000000007602}5676C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 10341000x80000000000000001955428Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 11:00:00.435{D25361F1-33A4-6307-3700-000000007602}31203140C:\Windows\system32\conhost.exe{D25361F1-5630-6307-4C05-000000007602}5676C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x80000000000000001955427Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 11:00:00.435{D25361F1-5630-6307-4C05-000000007602}5676C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x80000000000000001955426Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 11:00:00.435{D25361F1-5630-6307-4C05-000000007602}5676C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x80000000000000001955425Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 11:00:00.435{D25361F1-5630-6307-4C05-000000007602}5676C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x80000000000000001955424Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 11:00:00.435{D25361F1-5630-6307-4C05-000000007602}5676C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exeMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2trueSplunk, Inc.Valid 10341000x80000000000000001955423Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 11:00:00.435{D25361F1-3392-6307-0C00-000000007602}8368632C:\Windows\system32\svchost.exe{D25361F1-33A3-6307-2600-000000007602}2552C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001955422Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 11:00:00.435{D25361F1-3392-6307-0C00-000000007602}8368632C:\Windows\system32\svchost.exe{D25361F1-33A3-6307-2600-000000007602}2552C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000663320Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-25 11:00:00.070{F6DB49F2-3390-6307-2100-000000007702}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=0D0C64467FB280DCB77937F48D965C7C,SHA256=5CB8EFF302280F49A799016D5801BE5E064DC3514BFCC380B7DA24704B20F2B6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001955421Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 11:00:00.435{D25361F1-3392-6307-0C00-000000007602}8368632C:\Windows\system32\svchost.exe{D25361F1-33A3-6307-2600-000000007602}2552C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001955420Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 11:00:00.435{D25361F1-3392-6307-0C00-000000007602}8368632C:\Windows\system32\svchost.exe{D25361F1-33A3-6307-2600-000000007602}2552C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001955419Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 11:00:00.435{D25361F1-3390-6307-0500-000000007602}416532C:\Windows\system32\csrss.exe{D25361F1-5630-6307-4C05-000000007602}5676C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000001955418Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 11:00:00.435{D25361F1-33A3-6307-2C00-000000007602}26043364C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D25361F1-5630-6307-4C05-000000007602}5676C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000001955417Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 11:00:00.436{D25361F1-5630-6307-4C05-000000007602}5676C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D25361F1-3391-6307-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{D25361F1-33A3-6307-2C00-000000007602}2604C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000001955694Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 11:00:01.729{D25361F1-35E9-6307-E200-000000007602}53165452C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-33A3-6307-2E00-000000007602}2764C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980610) 23542300x80000000000000001955693Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 11:00:01.726{D25361F1-33B6-6307-7B00-000000007602}2184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=089074FF7A02021795FE1B6366C3661F,SHA256=A64C89FC00359550C3E01712A3E46ACB1E45497A14FAF2AE2653880C1215ED45,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001955692Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 11:00:01.722{D25361F1-35E9-6307-E200-000000007602}53165452C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-33A3-6307-2F00-000000007602}2772C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980610) 10341000x80000000000000001955691Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 11:00:01.716{D25361F1-35E9-6307-E200-000000007602}53165452C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-33A3-6307-2D00-000000007602}2752C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980610) 10341000x80000000000000001955690Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 11:00:01.710{D25361F1-35E9-6307-E200-000000007602}53165452C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-33A3-6307-2C00-000000007602}2604C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980610) 10341000x80000000000000001955689Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 11:00:01.703{D25361F1-35E9-6307-E200-000000007602}53165452C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-33A3-6307-2B00-000000007602}2596C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980610) 10341000x80000000000000001955688Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 11:00:01.697{D25361F1-35E9-6307-E200-000000007602}53165452C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-33A3-6307-2900-000000007602}2580C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980610) 10341000x80000000000000001955687Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 11:00:01.694{D25361F1-35E9-6307-E200-000000007602}53165452C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-33A3-6307-2800-000000007602}2568C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980610) 10341000x80000000000000001955686Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 11:00:01.565{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-52AD-6307-E404-000000007602}7476C:\Windows\SYSTEM32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001955685Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 11:00:01.565{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-4AD7-6307-F503-000000007602}6996C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001955684Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 11:00:01.565{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-4AD1-6307-F403-000000007602}7488C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001955683Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 11:00:01.565{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-4AD0-6307-F303-000000007602}9620C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001955682Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 11:00:01.565{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-4AB4-6307-EB03-000000007602}6088C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001955681Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 11:00:01.565{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-4A8F-6307-EA03-000000007602}6404C:\Windows\system32\wbem\wmiprvse.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001955680Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 11:00:01.565{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-49F6-6307-CD03-000000007602}7868C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001955679Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 11:00:01.565{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-436A-6307-0703-000000007602}6260C:\Program Files\IDA Freeware 8.0\ida64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001955678Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 11:00:01.565{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-4210-6307-D702-000000007602}7048C:\Windows\System32\win32calc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001955677Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 11:00:01.564{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-37A5-6307-3901-000000007602}6588C:\Windows\ImmersiveControlPanel\SystemSettings.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001955676Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 11:00:01.563{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-37A2-6307-3301-000000007602}5680C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001955675Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 11:00:01.563{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-37A2-6307-3201-000000007602}3700C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001955674Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 11:00:01.563{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-37A1-6307-3101-000000007602}4360C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001955673Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 11:00:01.563{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-37A1-6307-3001-000000007602}5144C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001955672Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 11:00:01.563{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-37A0-6307-2F01-000000007602}4596C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001955671Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 11:00:01.563{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-361E-6307-FB00-000000007602}6112C:\Users\Administrator\Downloads\Procmon64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001955670Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 11:00:01.562{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-35FB-6307-F000-000000007602}4288C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001955669Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 11:00:01.562{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-35FB-6307-EF00-000000007602}4276C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001955668Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 11:00:01.562{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-35E9-6307-E200-000000007602}5316C:\Program Files\Aurora-Agent\aurora-agent.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001955667Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 11:00:01.562{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-35E2-6307-E000-000000007602}4860C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001955666Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 11:00:01.562{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-35E2-6307-DF00-000000007602}4184C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001955665Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 11:00:01.561{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-35E0-6307-DE00-000000007602}5008C:\Windows\Explorer.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001955664Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 11:00:01.561{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-35E0-6307-D600-000000007602}4472C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001955663Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 11:00:01.561{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-35E0-6307-D300-000000007602}4392C:\Windows\System32\rdpclip.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000663322Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-25 11:00:01.717{F6DB49F2-33A2-6307-6D00-000000007702}3760NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=35E52FAFFBB28B844D14252A9E7A906D,SHA256=B965ECB2F75FE7A8BCA79114281C7EF4B66317CE61E3AE8FC5E7BCC878C14871,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001955662Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 11:00:01.560{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-35DE-6307-D000-000000007602}3896C:\Windows\system32\dwm.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001955661Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 11:00:01.560{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-35DD-6307-CE00-000000007602}764C:\Windows\system32\winlogon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001955660Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 11:00:01.560{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-35DD-6307-CD00-000000007602}1324C:\Windows\system32\csrss.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5d64|C:\Windows\System32\KERNELBASE.dll+25803|C:\Windows\System32\KERNEL32.DLL+169c0|C:\Users\Administrator\Downloads\procexp64.exe+a8288|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001955659Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 11:00:01.560{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-341E-6307-8900-000000007602}3136C:\Windows\System32\msdtc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001955658Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 11:00:01.560{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33B6-6307-7B00-000000007602}2184C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001955657Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 11:00:01.560{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33AF-6307-7100-000000007602}3892C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001955656Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 11:00:01.559{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A5-6307-4500-000000007602}3548C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001955655Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 11:00:01.559{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A5-6307-4100-000000007602}3460C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001955654Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 11:00:01.559{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A4-6307-3A00-000000007602}3188C:\Windows\System32\vds.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001955653Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 11:00:01.559{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A4-6307-3700-000000007602}3120C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001955652Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 11:00:01.559{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A3-6307-3100-000000007602}2960C:\Windows\system32\wbem\unsecapp.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001955651Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 11:00:01.559{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A3-6307-2F00-000000007602}2772C:\Windows\system32\DFSRs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001955650Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 11:00:01.558{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A3-6307-2E00-000000007602}2764C:\Windows\system32\dfssvc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001955649Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 11:00:01.558{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A3-6307-2D00-000000007602}2752C:\Windows\System32\ismserv.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001955648Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 11:00:01.558{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A3-6307-2C00-000000007602}2604C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001955647Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 11:00:01.558{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A3-6307-2B00-000000007602}2596C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001955646Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 11:00:01.558{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A3-6307-2900-000000007602}2580C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001955645Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 11:00:01.557{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A3-6307-2800-000000007602}2568C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001955644Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 11:00:01.557{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A3-6307-2700-000000007602}2560C:\Windows\system32\dns.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001955643Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 11:00:01.556{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A3-6307-2600-000000007602}2552C:\Windows\sysmon64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001955642Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 11:00:01.556{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-33A3-6307-2500-000000007602}2476C:\Windows\System32\spoolsv.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001955641Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 11:00:01.556{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-339C-6307-2300-000000007602}2332C:\Windows\System32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001955640Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 11:00:01.556{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3393-6307-1D00-000000007602}2088C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001955639Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-25 11:00:01.556{D25361F1-3610-6307-F600-000000007602}57285268C:\Users\Administrator\Downloads\procexp64.exe{D25361F1-3393-6307-1700-000000007602}1396C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001955638Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local